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Course Introduction 


Overview 


Building Cisco Remote Access Networks (BCRAN) v2.1 is an instructor-led course presented 
by Cisco Systems training partners to end-user customers. This five-day course focuses on how 
to use one or more of the available permanent or dialup WAN technologies to connect company 
sites. In addition, network security and general security components are presented. 


Outline 


The Course Introduction includes these topics: 
™ Course Objectives 

™ Course Activities 

™ Cisco Certifications 

m= Learner Skills and Knowledge 

m= Learner Responsibilities 

™ General Administration 

= Course Flow Diagram 

m= Icons and Symbols 


@ Learner Introductions 


Course Objectives 


This topic lists the course objectives. 


Course Objectives 


Upon completing this course, you will be 
able to: 


¢ Interconnect network devices used for WANs 


¢ Build a functional configuration to support 
network requirements 


° Verify the functionality of the network 


¢ Determine network device operational status and 
performance 


Course Objectives (Cont.) 


Upon completing this course, you will be 
able to: 


* Manage device configuration files 
* Configure access lists to meet requirements 


* Use show commands to display network 
operational performance 


* Use debug commands to detect processes and 
anomalies 
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Upon completing this course, you will be able to meet these objectives: 


Interconnect network devices as specified by a design and installation plan 

Build a functional configuration to support specified network operational requirements 
Verify the functionality of a network to ensure that it operates as specified 

Verify network connectivity to non-Cisco devices 


Accurately determine network device operational status and network performance using the 
command-line interface 


Manage device configuration files to reduce device downtime according to best practices 
using Cisco IOS commands 


Configure access lists to meet specified operational requirements using the command-line 
interface 


Display network operational parameters using the appropriate show commands so that you 
can detect anomalies 


Monitor network operational parameters using the appropriate debug commands so that 
you can detect anomalies 
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Course Activities 


This topic discusses the enterprise WAN network that you will build in this course. 


BCRAN Activity Network Topolo 


fn 
Packet-Switched, 


Analog, ISDN, and 
Internet Services 


Serial 
ISON PRI 
Frame Relay 


ISON BRI 


POTS 


Asynchronous 
Modem 
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During the lab exercises in this course, you will build the network depicted in the figure. To 
accomplish this task, you will practice the following: 


m Assembling and cabling WAN components 

= Supporting asynchronous modems 

= Configuring PPP features 

™ Accessing broadband 

m Using Virtual Private Networks (VPNs) with IP Security (IPSec) 

m Using ISDN and dial-on-demand routing (DDR) to enhance remote connectivity 
m Using DDR enhancements 

™ Configuring a Frame Relay connection with traffic shaping 

= Implementing DDR backup 

m Using quality of service (QoS) in WANs 


m= Using authentication, authorization, and accounting (AAA) to scale access control 
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Cisco Certifications 


This topic discusses Cisco career certifications and paths. 


Cisco Certifications 


isco Certifications 


www .cisco.com/go/certifications 


© 2004 Cisco Systems, Inc. All rights reserved. 


Cisco provides three levels of general career certifications for IT professionals with several 
different tracks to meet individual needs. Cisco also provides focused Cisco Qualified 
Specialist (CQS) certifications for designated areas such as cable communications, voice, and 
security. 


There are many paths to Cisco certification, but only one requirement—passing one or more 
exams demonstrating knowledge and skill. For details, go to 


http:/Awww.cisco.com/go/certifications. — 
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Learner Skills and Knowledge 


This topic lists the course prerequisites. 


Prerequisite Learner Skills 
and Knowledge 


Bulking Cisco Remote 
Access Networks (BCRAN) 


u onfiguring Standard and extended access its 
Configuring routed protocols such as IP, OSPF, and EIGRP 


Cénfiguring routing protocols like RIP, IGRP, and so on 
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Before attending the BCRAN course, you must have basic knowledge of data networking 
equivalent to the information in the Introduction to Cisco Networking Technologies (INTRO) 
course and the /nterconnecting Cisco Network Devices (ICND) course. Experience working in 
a network environment is recommended. 
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Learner Responsibilities 


This topic discusses the responsibilities of the learners. 


Learner Responsibilities 


° Complete 
prerequisites 


° Introduce 
yourself 


¢ Ask questions 


To take full advantage of the information presented in this course, you must have completed the 
prerequisite requirements. 


In class, you are expected to participate in all lesson exercises and assessments. 
In addition, you are encouraged to ask any questions relevant to the course materials. 
If you have pertinent information or questions concerning future Cisco product releases and 


product features, please discuss these topics during breaks or after class. The instructor will 
answer your questions or direct you to an appropriate information source. 
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General Administration 


This topic lists the administrative issues for the course. 


General Administration 


Class-Related Facilities-Related 


* Sign-in sheet * Break and lunch room 


- Length and times locations 


¢ Course materials 
- Attire * Rest rooms 


¢ Telephones/faxes 


The instructor will discuss these administrative issues: 


Sign-in process 

Starting and anticipated ending times of each class day 
Class breaks and lunch facilities 

Appropriate attire during class 

Materials that you can expect to receive during class 
What to do in the event of an emergency 

Location of the rest rooms 


How to send and receive telephone and fax messages 
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° Site emergency procedures 
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Course Flow Diagram 


This topic covers the suggested flow of the course materials. 


Course Flow Diagram 


Day 1 


Course 
Introduction 


Module 1: WAN 
Technologies and 
Components 


Module 2: 
Supporting 
Asynchronous 
Modems 


Module 2: 
Supporting 
Asynchronous 
Modems (cont.) 


Module 3: 
Configuring PPP 
Features 


Module 3: 


Configuring PPP 


Features (cont.) 


Module 4: 
Accessing 
Broadband 


Module 4: 
Accessing 
Broadband 


Module 5: Virtual 
Private Networks 


Module 5: Virtual 
Private Networks 
(cont.) 


Module 6: Using 
ISDN and DDR 
to Enhance Remote 
Connectivity 


Module 6: Using 
ISDN and DDR 
to Enhance Remote 
Connectivity 
(cont.) 


Module 7: Using 
DDR Enhancements 


Module 7: Using 
DDR Enhancements 
(cont.) 


Module 8: 
Configuring Frame 
Relay with Traffic 
Shaping 


Module 8: 
Configuring Frame 
Relay with Traffic 
Shaping (cont.) 


Module 9: 
Implementing DDR 
Backup 


Module 10: Using 
QoS in Wide-Area 
Networks 


Module 11: Using 
AAA to Scale 
Access Control 


Super Lab 
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The schedule reflects the recommended structure for this course. This structure allows enough 
time for the instructor to present the course information and for you to work through the lab 
exercises. The exact timing of the subject materials and labs depends on the pace of your 


specific class. 
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Course Introduction 


Icons and Symbols 


This topic shows the Cisco icons and symbols used in this course. 


Cisco Icons and Symbols 


Fie 
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Learner Introductions 


This is the point in the course where you introduce yourself. 


Learner Introductions 


Your name 


Your 
company 


Skills and 
knowledge 


Brief history 
Objective 


Prepare to share the following information: 


Your name 

Your company 

If you have most or all of the prerequisite skills 
A profile of your experience 


What you would like to learn from this course 
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Module 1 | 


WAN Technologies and 
Components 


Overview 


This module discusses various remote access technologies and considerations for an enterprise 
that is building its corporate network. This module also addresses Cisco Systems product 
selection information. 


Objectives 


Upon completing this module, you will be able to: 


Outline 


Explain the advantages and disadvantages of a variety of WAN connection types 
Select the appropriate WAN connection types 
Select Cisco equipment that will suit the specific needs of each site 


Use Cisco tools to select the proper equipment 


The module contains these lessons: 


Defining WAN Connection Types 
Defining WAN Encapsulation Protocols 
Determining the WAN Type to Use 


Selecting Cisco Products for Remote Connections 
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Defining WAN Connection 
Types 


Overview 


This lesson provides an overview of WAN connection types and explains some advantages and 
disadvantages of each. 


Relevance 


It is important to understand how to select the appropriate WAN connection type that best 
meets the needs and budget of the customer. 


Objectives 
Upon completing this lesson, you will be able to: 
m™ Describe the characteristics of WAN connections 
m Identify the types of WAN connections 
m™ Describe dedicated circuit-switched WAN connections 
m™ Describe on-demand circuit-switched WAN connections 
m Identify packet-switched WAN connections 
m= Describe selected broadband access connections 
m™ Describe various DSL connections 


™ Describe cable connections 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m= All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m= All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 


1-4 


This lesson includes these topics: 


Overview 

WAN Connection Characteristics 
Common WAN Connection Types 
Dedicated Circuit-Switched Connections 
On-Demand Circuit-Switched Connections 
ISDN Connections 

Packet-Switched Virtual Connections 
Broadband Access 


Summary 


Quiz 
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WAN Connection Characteristics 


This topic describes various WAN connection types. 


WAN Connection Characteristics 


Connection Duration Dedicated 


Switching Circuit Packet 


Synchronization External | Embedded 
Data Rate Narrowband Broadband 


Termination End-to-End Transport network 


Media 


Copper | Fiber 
— Twisted Pair — Multimode 
- Coaxial - Single-Mode 
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Many significant WAN connection characteristics can be grouped into these categories: 


™ Connection duration 


— Dedicated 
m Always on 
= Cost typically related to bandwidth and distance 
—  Ondemand 
= Connected on demand 
= Cost related to time of usage, bandwidth, and distance 


= Switching 


— Circuit-switched 


End-to-end bandwidth allocation and control 


Provisioned permanently or on demand 


— Packet-switched 


Asynchronous transport network 
Statistical bandwidth allocation in transport network 


Cost typically related to bandwidth guarantee and other quality of service (QoS) 
parameters 
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m= Synchronization mechanism 
— External 
= Clocking determined by separate conductor in the media 
m Thicker cable with more conductors per connection 
— Embedded 
™ Clocking determined by bit times within the data stream 
m Fewer conductors per connection 
m Data rate 
— Narrowband 
m= Rates up to and including 128 kbps. 
— Broadband 


m= Data rates greater than narrowband rate. Exact dividing line is more marketing 
than technology. Greater than ISDN BRI and equal to or less than T1. 


= Termination 
— End-to-end circuits 


m™ Bit synchronization and data-link termination managed at ends of circuit. 
Appearance of increased control. Service provider transparent. 


— Transport network 


m= Intermediate network terminates bit synchronization, content carried 
asynchronously across transport network. Includes packet switching (Frame 
Relay and ATM) and broadband access technologies. 


m Transmission media 
— Copper: Cheaper for lower data rates and shorter distances 
m= Twisted pair 
™ Coaxial cable 
— Fiber: More expensive for high data rates and longer distances 
= Multimode 


m Single-mode 
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Common WAN Connection Types 


This topic describes the more common types of WAN connections. 


Common WAN Connection Types 


* Dedicated Circuit-Switched 

* On-Demand Circuit-Switched 

* Packet-Switched Virtual Circuit 
* Broadband Access 
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For the purposes of this discussion, WAN connections have been grouped into four general 
categories that reflect generally available WAN services: 


™ Dedicated circuit-switched 
™ On-demand circuit-switched 
™ Packet-switched virtual circuit 


™ Broadband access 
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Dedicated Circuit-Switched Connections 


This topic describes dedicated circuit-switched WAN connections. 


Dedicated Circuit-Switched Connections 


Leased Lines 


EIA/TIA-232, EIAJTIA-449, 
V.35, X.21E1A/TIA-530 


, 


TDM Circuits 


DS-0 to T1/E1 through T3/E3 
CSU often in interface 


Leased-line serial connections typically connect to a transport service provider through a DCE 
device, which provides clocking and transforms the signal to the channelized format that is 
used in the service provider network. These point-to-point dedicated links provide a single, 
preestablished WAN communications path from the customer circuit-switched premises, 
through a carrier network, to a remote network. Dedicated lines through T3/E3 rates are 
frequently described as leased lines. The established path is permanent and fixed for each 
remote network that is reached through the carrier facilities. The service provider reserves the 
full-time private use of the customer circuits through the transport network. 


Synchronization of timing and data-link control is preserved end to end. These dedicated 
connections are made using the synchronous serial ports on the router with bandwidth of up to 
34 Mbps over a service provider E3 transport link and 45 Mbps over T3. Different 
encapsulation methods at the data-link layer provide flexibility and reliability for user traffic. 
Typical connections on a dedicated network WAN connection employ 56-kbps, 64-kbps, T1, 
El, T3, and E3 data rates. 

These synchronous serial standards are supported on Cisco routers through serial interfaces: 

mg EJA/TIA-232 

m EJA/TIA-449 

mw V.35 


m EJA/TIA-530 


1-8 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright #: 2004, Cisco Systems, Inc. 


In North America, the connecting device is called a CSU/DSU. The CSU connects to the 
service provider network, while the DSU connects to the network device serial interface. The 
CSU/DSU is a device (or sometimes two separate digital devices) that adapts the media format 
from a serial DTE device, such as a router, to the media format of the service provider 
equipment, such as a WAN switch, in a switched carrier network. The CSU/DSU also provides 
signal clocking for synchronization between these devices. The figure shows the placement of 
the CSU/DSU. 


It is increasingly common to have direct connections to the carrier transport network using 
fractional or complete T1/E1 circuits. In this case, a CSU provides demarcation and logical 
termination between the service provider network and the customer network. Direct T3/E3 and 
Synchronous Digital Hierarchy/SONET (SDH/SONET) connectivity may also be available for 
organizations requiring higher data rates. 


The private nature of a dedicated connection allows better control over the WAN connection. 
Dedicated connections also offer high speeds beyond T3/E3 levels using SDH/SONET. 
Dedicated connections are ideal for high-volume environments with steady-rate traffic patterns 
or high-peak demands of critical traffic. However, because the line is not shared, dedicated 
connections tend to be more costly. 

As a general rule, dedicated connections are most cost-effective in these situations: 

m Long connect times 


m Short distances 


= Critical traffic requirements that must be guaranteed 
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On-Demand Circuit-Switched Connections 


1-10 


This topic describes various switched connections. 


On-Demand Circuit-Switched 


“> 
me 


¢ 


Dial Access 
ISDN 
POTS 


¢ Requires call setup and call teardown 


¢ Usually provided by telephone carrier 


On-demand circuit switching is a WAN transport method in which a dedicated physical circuit 
is established, maintained, and terminated through a public switched telephone network (PSTN) 
for each communication session. Initial signaling at the setup stage determines the endpoints 
and the connection between the two endpoints. 


Typical circuit-switched connections are: 
m Asynchronous modem 


m ISDN BRI and ISDN PRI 


Advantages of on-demand connection types include dynamic selection of the circuit endpoint 
and the accumulation of charges for transport only while connections are active. Costs are 
directly related to connection time and distance for each plain old telephone service (POTS) 
line or ISDN bearer (B) channel. As traffic between endpoints increases in volume, the duration 
of the connection increases. 


Asynchronous modem connections require minimal equipment cost and use the existing 
telephone network. Users can easily access a central site from any location that has a telephone 
connection into a telephone network. 


The nature of asynchronous connections allows you to configure the connection to be 
enabled—only when you need the service—by using dial-on-demand routing (DDR) through 
the modem using an asynchronous serial interface. DDR is ideal when you need short-term 
access only. 
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You should enable DDR on your asynchronous interface when: 


= Traffic volume is low or traffic is periodic: Calls are placed and connections are 
established when only the router detects traffic marked as “interesting.” Periodic 
broadcasts, such as routing protocol updates, should be prevented from triggering a call. 


m You need a backup connection for redundancy or load sharing: DDR can be used to 
provide backup load sharing and interface failure backup. 


A router acts as an access server, which is a concentration point for dial-in and dial-out calls. 
Mobile users, for example, can call into an access server at a central site to access their e-mail 
messages. 


Asynchronous connections are useful in these situations: 

m= A backup connection required 

m Small site 

m Short-term on-demand access 

m@ Periods of lower network traffic and fewer users 

Asynchronous connections through the PSTN require modems at each end of the connection to 
convert digital data signals to analog signals that can be transported over the telephone 
network. Modem speeds typically vary from 19.2 kbps to 56 kbps, depending on line quality. 
The slower bandwidth speeds limit the amount of traffic you may want to send over an 
asynchronous line. To place or receive an asynchronous serial call, equip a Cisco router with an 
asynchronous serial interface. The serial standard to attach to an external modem is the 


EIA/TIA-232 standard. The interface to the telephone company varies by country. Within the 
United States, a standard RJ-11 adapter connects the modem to the telephone outlet. 
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ISDN Connections 


This topic describes ISDN circuit-switched connections. 


ISDN Connections 


ISDN connections are typically switched connections that, like asynchronous connections, 
provide WAN access when needed rather than through a dedicated link. ISDN offers increased 
bandwidth over a typical dialup connection, faster setup, and is intended to carry data, voice, 
and other traffic across a telephone network. 


To place an ISDN BRI call, you should equip your router with a BRI interface. You may also 
need an ISDN terminal adapter, which is a device that is used to connect ISDN BRI 
connections to other interfaces, such as EIA/TIA-232. A terminal adapter is essentially an 
ISDN modem. You should also consult your telephone company for information specific to 
your connection. 


Note Generally, in Europe, the service provider supplies the Network Termination 1 (NT-1). In 
North America, the customer supplies the NT-1. 


ISDN PRI is configured over connections such as T1 and E1 technologies. To place an ISDN 
call, equip your router with the proper connection. T1 is used in the United States, and El is 
common in other countries. 


As with asynchronous connections, you can also configure DDR to control access for specific 
periods of time. 


1-12 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright #: 2004, Cisco Systems, Inc. 


Packet-Switched Virtual Connections 


This topic describes packet-switched virtual connections. 


Packet-Switched Connections 


¢ Virtual circuits are established. 


* Packet-switched networks generally share 
bandwidth statistically. 


Packet switching is a method in which a network device uses a single point-to-point link to a 
service provider to transport packets intended for one or more destinations across a carrier 
network. Packet switching is a networking technology that is based on the transmission of data 
in packets. Dividing a continuous stream of data into small units (packets) enables data from 
one or more sources to one or more destinations to share the communication channels within 
the transport network. 


Packet-switched networks use virtual circuits that provide end-to-end connectivity. Statically 
programmed switching devices accomplish physical connections. Packet headers identify the 
circuit and may change on each network link that is traversed. Packet switching requires the use 
of precise switching information throughout the transport network. 


Packet-switched networks can be either privately or publicly managed. The underlying 
switching fabric is transparent to the network user, and the switches are responsible for the 
internal delivery of data across the packet-switched network only. Packet switching is 
implemented at the data-link layer of the Open System Interconnection (OSI) reference model. 


Packet-switched networks offer an administrator less control than a point-to-point connection, 
and the bandwidth is shared statistically. However, the cost is generally less than for a leased 
line. With WAN speeds comparable to those of leased lines, packet-switched networks are 
generally suitable for links between two large sites that require high-link utilization or present 
high peaks of critical traffic. 
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As a general rule, packet-switched connections are most cost-effective in networks with these 
characteristics: 


m Long connect times 
m Large geographic distances 
m= High-link utilization 


m= High peaks of critical traffic 
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Broadband Access 


This topic describes two broadband access technologies. 


Broadband Access 


Cable/DSL 
Modems 


Service Provider 
Ne x Pvare Ethernet 


Connection 


aT | 


° Use existing infrastructure 
* Provide broadband access 


¢ Terminate at service provider POP 
Internet transport 
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Internet access is moving from dialup modems and slow connections to broadband access, 
using a variety of technologies. The technology takes advantage of existing telephone and cable 
television distribution infrastructures to provide broadband access to the Internet. While there is 
no universal definition of broadband, the Federal Communications Commission (FCC) 
considers advanced telecom or high speed to be defined as 200 kbps or greater. Generally, a 
speed of 128 kbps is adequate for most users. Broadband can allow remote office staff and 
small office, home office (SOHO) users to connect to the central site at higher data rates than 
are available with traditional on-demand technologies. 


High-speed broadband access to the Internet through a broadband point of presence (POP) and 
then to corporate networks using secure Virtual Private Networks (VPNs) is a reality for many 
users in the networked world today. This broadband access has the potential to directly improve 
employee productivity and to provide a foundation for new voice and video business services 
over the Internet. 


Many corporations and educational institutions have instituted broadband solutions for access 
by suppliers, customers, and staff. The use of the Internet for secure site-to-site connectivity 
using VPNs is increasing, especially for less critical traffic. 


Broadband access options, in addition to the legacy dedicated circuit-switching and packet- 
switching technologies, include digital subscriber line (DSL) and cable modems. The most 
common problem in offering these broadband services to remote users is the lack of coverage 
because of infrastructure deficiencies. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
EE Ss eee | 


* WAN connection types are dedicated, circuit- 
switched, packet-switched, and broadband. 


* AWAN can be characterized by connection 
duration, type of switching, form of 
synchronization, data rate, termination, and 
media type. 


* Dedicated serial connections are continuously 
available, typically using a CSU/DSU to connect to 
service provider TDM network. 


* Asynchronous circuit-switched connections use a 
process like DDR when there is a backup 
connection needed. 


Summary (Cont.) 


° Circuit-switched ISDN connections use Link 
Access Procedure on the D channel for BRI 
signaling and use T1/E1 facilities for PRI 
connections. 


¢ Packet-switched connections establish virtual 
circuits using packet headers to identify network 
destinations. 


¢ Broadband allows increased bandwidth and new 
services such as VPN while using existing 
infrastructure via DSL or cable modem. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) ~~ Which major WAN connection characteristic includes consideration of the elapsed 


connection time? 


A) data rate 
B) termination 
C) transmission media 
D) connection duration 
Q2) Dedicated lines are alsoknownas_——? 
A) honor lines 
B) committed lines 
C) leased lines 
D) agreed lines 


Q3) — Which type of router interface port is used to make dedicated permanent connections? 


A) 
B) 
C) 
D) 


Ethernet ports 
synchronous serial ports 
console ports 


ISDN BRIB channels 


Q4) — Which of the following conditions is appropriate for asynchronous serial connections? 


A) 


B) 
C) 


D) 


Your network would use them as its primary WAN connections for sending 
huge amounts of data traffic. 


Your network needs a very reliable high-speed connection. 


Your network is a small remote site and does not require a high-speed WAN 
connection. 


Your network has five users and they send large files to a central site that is 
located more than 35 miles away. 


Q5) ~~ Which of the following is considered an on-demand connection? 


A) 
B) 
C) 
D) 


100-Mbps LAN connection 
broadband connection 
T1 synchronous serial connection 


ISDN BRI connection 
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Q6) What physical connection is used for high-speed ISDN access in the United States? 
A) a 23B + 1D channelized T1 line 
B) a 2B + 1D channelized BRI 
C) a 30B + 1D channelized E1 line 


D) an ISDN network terminal adapter 


Q7) What form does the transmission of data take in packet switching? 
A) indices 
B) time slices 
C) bit streams 
D) small units 


Q8) What is the most common problem a remote user typically encounters in obtaining 
broadband access service? 


A) lack of area coverage by broadband providers 
B) large initial connection fee charged by broadband providers 
C) high cost of connections compared to other dedicated WAN services 


D) reduced bandwidth compared to on-demand WAN services 
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Quiz Answer Key 


Ql) D 

Relates to: WAN Connection Characteristics 
Q2) Cc 

Relates to: Dedicated Circuit-Switched Connections 
Q3)  B 

Relates to: Dedicated Circuit-Switched Connections 
Q4) 

Relates to: On-Demand Circuit-Switched Connections 
Q5)  D 

Relates to: ISDN Connections 
Q6) A 

Relates to: ISDN Connections 
Q7) D 

Relates to: Packet-Switched Virtual Connections 
Q8) A 


Relates to: Broadband Access 
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Defining WAN Encapsulation 
Protocols 


Overview 


This lesson describes the various WAN encapsulations and explains the advantages and 
disadvantages of each. 


Relevance 


It is important to understand how to select the appropriate WAN encapsulation type to provide 
the correct access and security level for the customer. 


Objectives 


Upon completing this lesson, you will be able to: 
m Explain the various WAN encapsulation types that are available 
m™ Describe the advantages of PPP encapsulation 


m™ Describe the advantages of Frame Relay encapsulation 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m= All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Jnterconnecting Cisco Network Devices (ICND) course 


Outline 


1-22 


This lesson includes these topics: 


Building Cisco Remote Access Networks (BCRAN) v2.1 


Overview 

WAN Encapsulation Protocols 
PPP Encapsulation 

Frame Relay Encapsulations 


Summary 


Quiz 
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WAN Encapsulation Protocols 


This topic describes various WAN encapsulation protocols. 


Typical WAN Protocols 


Circuit-Switched =—7 


Frame Relay, ATM 


Packet-Switched =<" : [2 
Service 
Provider ‘1 
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Each WAN connection uses an encapsulation protocol to encapsulate traffic while it is crossing 
the WAN link. To ensure that you use the correct encapsulation protocol, you must configure 
the Layer 2 encapsulation type to use. The choice of encapsulation protocol depends on the 
WAN technology and the communicating equipment. Typical WAN protocols include: 


m= PPP: PPP originally emerged as an encapsulation protocol for transporting IP traffic over 
point-to-point links. PPP also established a standard for the assignment and management of 
IP addresses, asynchronous (start/stop) and bit-oriented synchronous encapsulation, 
network protocol multiplexing, link configuration, link quality testing, and error detection. 
In addition, PPP established option negotiation for such capabilities as network-layer 
address negotiation and data-compression negotiation. PPP supports these functions by 
providing an extensible link control protocol (LCP) and a family of Network Control 
Protocols (NCPs) to negotiate optional configuration parameters and facilities. The 
broadband connection type that is used will determine the use of Point-to-Point Protocol 
over Ethernet (PPPoE) or Point-to-Point Protocol over ATM (PPPoA). 


= High-Level Data Link Control (HDLC): HDLC is the default encapsulation type for 
Cisco routers on point-to-point dedicated links. It is a bit-oriented synchronous data-link 
layer protocol. HDLC specifies a data encapsulation method on synchronous serial links 
using frame characters and checksums. HDLC is a standard that is open for interpretation. 
As a result, there are different versions of HDLC. If you are communicating with a device 
from another vendor, synchronous PPP is a more viable option. 


m Frame Relay: Frame Relay is a high-performance packet-switched WAN protocol that 
operates at the physical and data-link layers of the OSI reference model. Frame Relay was 
originally designed for use across ISDN interfaces. Today, it is used over a variety of other 
network interfaces and typically operates over WAN facilities that offer more reliable 
connection services and a higher degree of reliability. 
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= ATM: ATM is the international standard for cell relay in which multiple service types 
(such as voice, video, or data) are conveyed in fixed-length (53-byte) cells. Fixed-length 
cells allow processing to occur in hardware, thereby reducing transit delays. ATM is 
designed to take advantage of high-speed transmission media such as E3, SONET, and T3. 
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PPP Encapsulation 


This topic describes PPP encapsulation. 


PPP Encapsulation 


Multiple Protocol 
Encapsulations Using NCPs 


PPP, PPPoE, PPPoA 
Encapsulation — rags 


Link Setup and Control 
Using LCP in PPP 
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PPP is an international standard encapsulation that is used for these types of connections: 

m Asynchronous serial 

m ISDN 

m Synchronous serial 

m Broadband 

PPP (RFC 1331) provides a standard method of encapsulating higher-layer protocols across 


point-to-point connections. PPP extends the HDLC packet structure with a 16-bit protocol 
identifier that contains information on the content of the packet. 


Because it is standardized, PPP supports vendor interoperability. PPP uses its NCP component 
to encapsulate multiple protocols. 


PPP uses another of its major components, the LCP, to negotiate and set up control options on 
the WAN data link. Some of the PPP LCP features covered in this course are: 

= Authentication 

= Compression 

@ Multilink 

PPPoE provides the ability to connect a network of hosts to an access concentrator over a 
simple bridging access device. With this model, a host uses its own PPP stack, and the user is 


presented with a familiar user interface. Access control, billing, and type of service can be done 
on a per-user, rather than a per-site, basis. 
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PPPoA was primarily implemented as part of asymmetric DSL (ADSL) technology. It relies on 
RFC 1483 (now RFC 2686), operating in either logical link control/Subnetwork Access 
Protocol (LLC/SNAP) or virtual circuit multiplexing (VC mux) mode. Customer premises 
equipment (CPE) will encapsulate a PPP session based on this RFC for transport across the 
ADSL loop and the digital subscriber line access multiplexer (DSLAM). 


In these architectures, IP address allocation is based on IP Control Protocol (IPCP) negotiation, 
which follows the same principle as PPP in dial mode. 


In PPPoE, the source of IP address allocation depends on the type of service to which the 
subscriber has subscribed and where the PPP sessions are terminated. PPPoE makes use of the 
dial-up networking feature of Microsoft Windows, and the IP address assigned is reflected 
within the PPP adapter. PPPoE can be used on existing CPE (that cannot be upgraded to PPP or 
that cannot run PPPoA), extending the PPP session over the bridged Ethernet LAN to the PC. 
PPPoE can also be configured on the CPE to terminate the PPP session and use Network 
Address Translation (NAT) for workstation access to the Internet. 


Although PPPoA does not require host-based software, it does require that each CPE device 
have a username and password for authentication to a central site. The PPP sessions initiated by 
the subscriber are terminated at the service provider that authenticates users via a local database 
on the router or through a RADIUS server. The PPPoA session authentication is based on 
Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol 
(CHAP). The service provider must assign only one IP address for the CPE, and the CPE can 
be configured for NAT. 
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Frame Relay Encapsulations 


This topic describes Frame Relay encapsulations. 


Frame Relay Encapsulations 


Frame Relay is an industry-standard data-link layer protocol that is commonly used in packet- 
switched networks. Frame Relay supports technological advances such as fiber-optic cabling 
and digital transmission. Frame Relay can eliminate time-consuming processes (such as error 
correction and flow control) that are necessary when using older, less reliable WAN media and 
protocols. 


When purchasing bandwidth, customers buy a committed information rate (CIR) from the 
carrier to ensure that their minimum bandwidth requirements will be met. Adding an additional 
channel or data-link connection identifier (DLC]) will provision a new virtual circuit and set of 
connection characteristics. Adding more channels to an existing DLCI, where the physical 
facilities support it, adds bandwidth. Channels can be added easily in this manner to meet 
growth requirements. 


Because a public network is being used, a service provider must be consulted to obtain 
information specific to a link. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 


¢ Each WAN connection uses an encapsulation 
protocol to encapsulate traffic while it is crossing 
the WAN link. 


¢ PPP is an international standard encapsulation 
used for asynchronous serial, ISDN, synchronous 
serial, and broadband connections. 


° Frame Relay is an industry-standard data-link layer 
protocol commonly used in packet-switched 
networks. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) What is the fixed length of an ATM cell? 


Q2) Which component does PPP use to negotiate and set up control options on the WAN 


A) 128 bytes 
B) 56 bytes 
C) 53 bytes 
D) 64 bytes 
data link? 

A) NCP 

B) LCP 

C) FTP 

D) TFTP 


Q3) In Frame Relay, what is a DLCI? 


A) 
B) 
C) 
D) 


data-link control identifier 
data-level control identifier 
data-link connection identifier 


data-level connection identifier 
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WAN Technologies and Components 
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Quiz Answer Key 


QI): 2 

Relates to: WAN Encapsulation Protocols 
Q2) 8B 

Relates to: PPP Encapsulation 
Q3) Cc 


Relates to: Frame Relay Encapsulations 
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Determining the WAN Type to 
Use 


Overview 


This lesson describes how to select the appropriate WAN connection for a given situation. 


Relevance 


When you design internetworks, you must make several key decisions concerning connectivity 
among different users or groups in your WAN environment. 


Objectives 


Upon completing this lesson, you will be able to: 

m™ Describe the various aspects of selecting the correct WAN connection 

m Distinguish among various WAN connections by speed and cost 

m™ Describe the requirements of a central site 

m™ Describe the requirements of a branch office site 

m™ Describe the requirements of a SOHO site 

m@ Select the appropriate WAN equipment for a CO site 

m™ Select the appropriate WAN equipment for a branch office site 

m Select the appropriate WAN equipment for a SOHO site 

m Identify the appropriate interfaces that will support your WAN connection 


m Verify that the router components are installed and functioning properly 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the /ntroduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the /nterconnecting Cisco Network Devices (ICND) course 


Outline 


This lesson includes these topics: 

m Overview 

m= WAN Connection Types 

m WAN Connection Speed Comparison 
m= WAN Connection Summary 

m Site Requirements 

™ Central Site Considerations 

= Central Site Router Equipment 

m™ Branch Office Considerations 

m Branch Office Router Equipment 
m SOHO Site Considerations 

m SOHO Site Router Equipment 

= Summary 


= Quiz 
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WAN Connection Types 


This topic describes how to select a WAN connection. 


Connection Selection Considerations 


° Availability 

¢ Bandwidth 

° Cost 

¢ Ease of management 
¢ Application traffic 

* QoS and reliability 

* Access control 
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When you design internetworks, you must make several key decisions concerning connectivity 
among different users or groups of users in your WAN environment. 


When selecting a WAN connection, you should consider these factors: 


m Availability: Each method of connectivity has limits to its availability that is inherent in its 
design, usage, and implementation. For example, Frame Relay is not available in all 
geographic regions. 


= Bandwidth: WAN bandwidth is expensive, and organizations do not want to pay for more 
bandwidth than they need. Determining usage over the WAN is a necessary step in 
evaluating the most cost-effective WAN services for your needs. 


= Cost: WAN usage costs are typically 80 percent of the entire information services budget. 
Cost is a major consideration when different WAN services and different service providers 
are being evaluated. If, for example, you use the line for only 1 hour a day, you may want 
to select a DDR connection such as an asynchronous or ISDN connection. 


m Ease of management: Network designers are often concerned about the degree of 
difficulty associated with managing connections. Connection management refers to both 
the initial configuration at startup and the ongoing configuration tasks of normal operation. 
Traffic management is the ability of the connection to adjust to different rates of traffic, 
regardless of whether the traffic is steady or bursty in nature. Dedicated lines are often 
easier to manage than shared lines. 


= Application traffic: The application traffic may be many small packets, such as a terminal 
session, or very large packets, such as a file transfer. 
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™ Quality of service (QoS) and reliability: How critical is the traffic that is intended to 
travel over the link? A backup connection may be necessary. 


= Access control: A dedicated connection may help control access, but electronic commerce 
cannot occur on a wide scale unless consumers can access some portion of your network. 
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WAN Connection Speed Comparison 


This topic describes various WAN speeds. 


WAN Connection Speed Comparison 


Leased line, Frame Relay 


Cable 


DSL 


ISDN—PRI 
ISON—BSRI 


s 
3 
3 
< 
$ 


Asynchronous 
Dialup 


56/64 kbps 128 kbps E1/T1 E3T3 


Theoretical Maximum WAN Speeds 
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The figure illustrates the WAN speeds for typical technologies. Network administrators must 
select a WAN option based on the required bandwidth. 


The speeds, costs, and availability of WANs vary internationally. For example, in North 
America, high-bandwidth speeds such as TI are easily available at reasonable prices. Europe 
offers comparable speeds, such as E1, but prices tend to be higher. Other parts of the world 
offer limited WAN services with lower speeds, typically up to 64 kbps, and the costs are 
higher. 


Broadband options include DSL and high-speed cable modems. 

Broadband is generally defined as any sustained speed above 128 kbps. However, that 
definition may soon change. Broadband access can allow remote office staff and small office, 
home office (SOHO) users to connect to the central office LAN at high speeds. 

A cable modem can provide up to 90 times the speed (4 Mbps) for remote access. 

DSL is a technology that operates over unused bandwidth on a regular telephone line to deliver 


fast digital data transmission up to 25 times the speed (approximately 1 Mbps) without 
affecting the analog telephone service that is used. 
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WAN Connection Summary 


This topic discusses a summary of WAN connections. 


WAN Connection Summary 


Leased Line High control, full bandwidth, high-cost enterprise 
networks, and last-mile access 


Broadband Cable - A very fast connection shared through a 
local area network to the Intemet. Low cost, but 
performance can vary 
DSL - Converts existing telephone lines into access 

aths for multimedia and high-speed data 
ransfers. Most high-performance DSL 
connections have distance limitations 


Creates a cigital loop. Higher bandwidth than 
typical dial-up, offen with significantly tegher cost 


Slow setup and transmission speeds. Location 
flexibility 
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The figure compares the attributes of various types of WAN connections. Each WAN 
connection has advantages and disadvantages. For example, setting up a dialup asynchronous 
connection will offer limited bandwidth only. However, a user can call into the office from 
anywhere over the existing telephone network. 
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Site Requirements 


This topic describes the factors that a network administrator must evaluate for central site, 
branch office, and SOHO WAN connections. 


Company Site 


“ = - and - 
soseef a Packet-Switched 


Analog, ISDN, and 
internet services 


Senai 
ISDN PRO a 
Frame Relay 


ISON BRI 


Remote Site, 


ruts Branch Office 
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A company with multiple sites that vary in size will need a remote network to connect the 
various locations. Typical locations include these sites: 


= Central site: The central site is a large site that is often the corporate headquarters or a 
major office. Regional offices and SOHOs may need to connect to this site for data and 
information. Because users may access this site via multiple WAN technologies, it is 
important that the central site accommodate many types of WAN connections from remote 
locations. The central site is often referred to as headquarters, the enterprise, or corporate. 


= Remote site: The remote site is a smaller office that generally accommodates employees 
who have a compelling reason to be located away from the central site, such as a regional 
salesperson. Remote site users must be able to connect to the central site to access company 
information. Remote sites are sometimes called branch offices, remote offices, or sales 
offices. Small and medium-size businesses can benefit from high-speed Internet access, 
VPN connectivity to corporate intranets, telecommuting capabilities for work-at-home 
employees, interactive television, and economical PSTN-quality voice and fax calls over 
the managed IP networks. Employees of large and small businesses who work from their 
homes need secure high-speed remote access to the corporate intranet and need access to 
the Internet for e-mail communication with customers and suppliers. 
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= SOHO site: This SOHO site is a small office with one to several employees or the home 
office of a telecommuter. Telecommuters may also be mobile users, that is, users who need 
access while traveling or who do not work at a fixed company site. Depending on the 
amount of use and the WAN services available, telecommuters working from home tend to 
use dialup and broadband services. Mobile users tend to access the company network via 
an asynchronous dialup connection through the telephone company or may access the 
corporate intranet using VPN client software on their laptops. Telecommuters working 
from home may also use a VPN tunnel gateway router for encrypted data and voice traffic 
from the company intranet. These solutions provide simple and safe access for branch 
offices or SOHOs to the corporate network site, according to the needs of the users at the 
sites. 
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Central Site Considerations 


This topic describes central site considerations. 


Central Site Considerations 


SOHO, 
Mobile Users 


Packet-Switched 
Analog, ISDN, and 


Internet services 


Remete Site, 
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¢ Must provide access to multiple users and control network costs 
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The central site WAN connection is a critical focal point for a company. Because many other 
sites and users access this site in a variety of ways, it is important that your central site solution 
have a modular design that can accommodate many types of WAN connections from remote 
locations. 


The architecture of a WAN that is used to connect company campuses must optimize 
bandwidth, minimize costs, and maximize the effective service to end users. Considerations to 
keep in mind for a central site WAN include: 


= Multiple access connections: Users will connect to the central site using various media. 
Central site WANs must allow for multiple media options and simultaneous access by 
multiple users. 


= Cost: Keep costs low while maintaining a satisfactory level of service. For example, some 
WAN charges are based on usage, such as ISDN. Features such as DDR and compression 
ensure that WAN costs are kept to a minimum. As another example, leased lines are 
generally charged at a fixed rate, so you may want to consider this service only if the line 
will sustain high use. Broadband connections such as cable and DSL offer a low-cost, high- 
speed solution. 


m Access control: Company information must be restricted, allowing users access only to the 
areas in the network for which they are authorized. Access lists can prevent unauthorized 
data flow between offices. For PPP network links, PAP or the superior CHAP can identify 
the remote entity to prevent unauthorized network connection. SOHO and branch office 
users can gain access to secure sites through the use of VPN technologies. 


= QoS: It is important to set priorities for traffic over the link and manage traffic flow so that 
bursty traffic does not slow mission-critical traffic. 
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m Redundancy and backup: Because a link may fail or usage may be high at certain peak 
times during the day, the connection to the central office should be backed up. Avoid 
backing up links using the same service provider. 


= Scalability: The network must be able to grow with the company. 
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Central Site Router Equipment 


This topic introduces Cisco central site router equipment. 


Central Site Router Equipment 


4-Port Scrial WAN Network Module Dig ital Madem Network Module 
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Choose the router that supports the WAN protocols that you will use. As illustrated in the 
figure, the router and network modules will support the interfaces in the network topology that 
are used in this course. 

These routers are typical Cisco Systems equipment for a central site: 

m™ Cisco 2600 Series 

@ Cisco 3600 Series 

™ Cisco 3700 Series 

@ Cisco 7200/7500 Series 


Copyright © 2004, Cisco Systems, Inc. WAN Technologies and Components 1-41 


Branch Office Considerations 


This topic describes branch office considerations. 


Branch Office Considerations 


Packet-Switched 
Analog, ISDN, and 
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A remote site or branch office typically has fewer users than the central site, and therefore 
needs a smaller WAN connection. 


Remote sites connect to the central site and to some other remote sites. Telecommuters may 
also require access to the remote site. A remote site can use the same or different media. 


Remote site traffic can vary, but is typically sporadic. The network designer must determine 
whether it is more cost-effective to offer a permanent or dialup solution. 


The remote site must have a variety of equipment, but does not require as much as the central 
site. Typical WAN technologies connecting a remote site to the central site include: 

m™ Leased line 

m Frame Relay 

m ISDN 

m= Broadband services (cable or DSL) 
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Typical considerations for setting up a remote site WAN connection are: 


Multiple access connections: Users will connect to the branch site using various media. 
Branch site WANs must allow for multiple media options and simultaneous access by 
multiple users. It must also have the connectivity to the Central or SOHO site. 


Cost: Sometimes called path cost, cost is an arbitrary value that is typically based on hop 
count, media bandwidth, or other measures. Cost is assigned by a network administrator to 
compare various paths through an internetwork environment. Cost values are used by 
routing protocols to determine the most favorable path to a particular destination; the lower 
the cost, the better the path. 


Access control: To prevent unauthorized traffic, routers and firewalls use a set of rules that 
permit or deny certain traffic. Access control is commonly applied to router interfaces and 
can be configured to control which data sessions can pass and which can fail. Users can 
gain secure access by using VPN solutions to connect to corporate intranets. 


Redundancy: In internetworking, duplicate devices, services, or connections can perform 
the work of original devices, services, or connections in the event of a failure. 


Authentication: The remote site must be able to authenticate itself to the central site. 


Availability: Service providers may not offer certain WAN services in some regions. This 
consideration generally becomes more critical as sites are set up in more remote locations. 
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Branch Office Router Equipment 


This topic introduces Cisco branch office router equipment. 


Branch Office Router Equipment 
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Choose a router that supports the WAN protocols and interfaces that you will use. The Cisco 
1700 Series router and the WAN interface cards shown in the figure will support the interfaces 
that are required for a branch office in the network topology used in this course. 

The following routers are typical Cisco equipment for a branch office: 

™ Cisco 1600 Series 

= Cisco 1700 Series 

m™ Cisco 2500 Series 

= Cisco 2600 Series 
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SOHO Site Considerations 


This topic describes telecommuter site considerations. 


SOHO Site Considerations 


Analog, ISON, and 
Internet services 


* Must access company information on demand from various remote locations 
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Improvements in WAN technologies allow many employees to do their jobs almost anywhere. 
The growth in the number of SOHO and small company sites has exploded. As with central and 
remote sites, WANs for SOHO sites must balance cost and bandwidth requirements. 


An asynchronous dialup solution using the existing telephony network and an analog modem is 
often the solution for SOHOs because it is easy to set up and the telephone facilities are already 
installed. As usage and bandwidth requirements increase, other remote access technologies 
should be considered. 


The needs of mobile users make an asynchronous dialup connection a good remote solution. 
Employees on the road can use their PCs with modems and the existing telephone network to 
connect to the company. 

The typical WAN connections employed at SOHO sites are: 

m Asynchronous dialup 

m ISDN BRI 

m Broadband 


m Frame Relay 


The typical considerations for a remote site WAN connection are: 
= Cost 
= Authentication 


m Availability 
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SOHO Site Router Equipment 


This topic describes Cisco SOHO site router equipment. 


SOHO Site Router Equipment 
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Choose the router that supports the WAN protocols and interfaces that you will use. As 
illustrated in the figure, the Cisco 800 Series router is an example of a SOHO site router that 
will support the interfaces required in the network topology that is used in this course. 

The following routers are typical Cisco Systems equipment for a SOHO site: 

™ Cisco 800 Series 


m Cisco 1700 Series 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 


* Selecting a WAN connection involves considering 
such things as availability, bandwidth, cost, and 
management ease. 


* Each WAN connection has advantages and 
disadvantages. 


* The central site should be designed to 
accommodate many different types of WAN 
connections from remote locations. 


° The type of equipment used will depend upon the 
needs of a particular site. 
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Quiz 


1-48 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


Q6) 


What percentage of the information services budget do WAN costs typically 
constitute? 


A) 10 percent 
B) 25 percent 
C) 50 percent 
D) 80 percent 


Which of the following is an advantage of using an asynchronous dialup connection? 
A) its high speed 

B) the ability to connect to the WAN from any active telephone line 

C) its always-on state 


D) the ability to use the telephone connection for voice calls at the same time 


Which of the following sites will most users connect to for data and information? 

A) branch site 

B) SOHO site 

C) central site 

Which of the following technologies would be used by SOHO and branch office users 
to gain access to a very secure central site? 


A) VPN technologies 


B) standard password authentication protection technologies 
C) unsecured high-speed broadband connection technologies 
D) slower-speed asynchronous dialup technologies 


Which of the following is most typically used to permit or deny traffic on a network? 


A) access control lists 

B) password authentication 

C) accounting software 

D) record management software 


Which Cisco Systems router would be typical for a central site? 
A) Cisco 1700 Series 
B) Cisco 1600 Series 
C) Cisco 2600 Series 
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Q7) — Which of these technologies can be used at a remote site to connect to the central site? 


A) 
B) 
C) 
D) 
E) 


leased line 

Frame Relay 

ISDN 

broadband services (cable or DSL) 
all of the above 


Q8) — Which Cisco routers are typically used for a branch office? 


A) 
B) 
C) 
D) 


Cisco 7000 Series 
Cisco 4000 Series 
Cisco 3600 Series 
Cisco 2600 Series 


Q9) Which is the most typical WAN connection type for a SOHO user who will require 


connectivity from a different site to a central site every day? 


A) 
B) 
C) 
D) 


dedicated serial connection 
circuit-switched connection 
broadband connection 


asynchronous dialup connection 


Q10) Which Cisco routers are typical for a SOHO site? 


A) 
B) 
C) 
D) 


Cisco 7000 Series 
Cisco 4000 Series 
Cisco 2600 Series 
Cisco 800 Series 
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Quiz Answer Key 


Ql) D 

Relates to: WAN Connection Types 
Q2) B 

Relates to: WAN Connection Speed Comparison 
Q3) Cc 

Relates to: WAN Connection Summary 
Q4) A 

Relates to: Site Requirements 
Q5) A 

Relates to: Central Site Considerations 
Q6) Cc 

Relates to: Central Site Router Equipment 
Q7) £ 

Relates to: Branch Office Considerations 
Q8) D 

Relates to: Branch Office Router Equipment 
Q9) D 

Relates to: SOHO Site Considerations 
Q10) D 


Relates to: SOHO Site Router Equipment 
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selecting Cisco Products for 
Remote Connections 


Overview 


Cisco offers many different routing platforms, interface modules, and cables to provide remote 
access. This lesson introduces the Cisco WAN solutions that are used to connect various 
company sites. 


Relevance 


Selecting appropriate equipment is critical to creating an internetwork. 


Objectives 
Upon completing this lesson, you will be able to 
m@ Select appropriate equipment 
m™ Select appropriate fixed and modular interfaces 
m= Select appropriate cables to build an internetwork 


m= Interpret the meaning of various LED indicators on a Cisco router 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the /ntroduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 


1-52 


This lesson includes these topics: 


Overview 

Cisco Remote Access Solutions 

Interfaces: Fixed Interface 

Interfaces: Modular Interface 

Network Cabling and Assembly 
Verification of Network Installation 
Verification of Branch Office Installation 
Verification of SOHO Installation 

Products with Cisco Product Selection Tools 


Summary 


Quiz 
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Cisco Remote Access Solutions 


This topic describes Cisco devices and their possible use. 


Cisco Remote Access Solutions 


Access www.cisco.com for the latest a 


product information. Cisco 3700 ras 
Series 


Cisco 3600 
Series 


Cisco 2600 wa 
Series Central Site Solutions 


Cisco 1700 
Series 


Cisco 1600 =] 
Series 
a 


Small Office Solutions 


Sranch Office Solutions 


Residential Telecommuter Site Solutions 
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Cisco Systems offers access servers, routers, and other equipment that allows connection to the 
WAN service. The figure highlights some of the products that are best suited for various 
company sites. 


The Cisco 800 Series routers are the lowest-priced Cisco routers, using a nonmodular fixed 
configuration, but based on Cisco IOS software. The Cisco 800 Series access routers provide 
big-business networking benefits to small offices and corporate telecommuters. The Cisco 800 
Series offers secure, manageable, high-performance solutions for Internet and corporate LAN 
access. 


The Cisco 1600 Series routers have a slot that accepts a WAN interface card (WIC). These 
cards are shared with the Cisco 1700, 2600, and 3600 Series routers and will be shared in future 
modular branch office products. 


The Cisco 1700 Series access routers deliver optimized security, integration, and flexibility in a 
desktop form factor for small and medium-size businesses and small branch offices that want to 
deploy Internet/intranet access or VPNs. The Cisco 1721 access router features two modular 
WAN slots that support WICs (as is common in other 1600, 2600, and 3600 Series access 
routers) and an autosensing 10/100-Mbps Fast Ethernet LAN port to provide investment 
protection and flexibility for growth. 


The Cisco 2600 Series routers feature single or dual fixed LAN interfaces. A network module 
slot and two WIC slots are available for WAN connections. 
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The Cisco 3700 Series multiservice access routers also offer an integrated solution for dialup 
and permanent connectivity over asynchronous, synchronous, and ISDN lines. Up to four 
network module slots are available for LAN and WAN requirements. 


The Cisco 7200 Series routers are also very high-performance, modular, central-site routers that 
support a variety of LAN and WAN technologies. The Cisco 7200 Series is targeted at large 


regional offices that require high-density solutions. 


The table highlights some of the features and WAN options for each series of routers. 


Cisco Features 
Routers 
800 Series ISDN BRI, serial connections, basic telephone service ports, broadband port, entry- 


level Cisco IOS software 


1600 Series ISDN BRI, one WIC slot 


1700 Series Two WIC slots 


2600 Series Various fixed LAN interface configurations, one network module slot, two WIC slots 


3700 Series Two slots (the 3725) or four slots (the 3745) 


AS5000 Access server with multiple T1/E1 ISDN PRI and modem capabilities 
Series 


7200 Series Supports a wide range of WAN services, with the high port density necessary for a 
scalable enterprise WAN 


Note A “power branch’ is a branch office that offers enhanced capabilities, such as those included 
in the Cisco 3700 Series routers. Because of their expandability, the Cisco 3700 Series 
routers are common today in branch offices. Refer to Cisco.com for the most up-to-date 
information on Cisco equipment. 
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Interfaces: Fixed Interface 


This topic describes various fixed WAN connection types. When selecting interfaces to support 
a WAN, you can choose between fixed interfaces and modular interfaces. 


Determining the Appropriate Interfaces— 
Fixed Interfaces 


Fixed-Configuration Router 


Ethernet Synchronous System 
AUILED serial LEDs OK LED 


Ethernet Synchronous Console Oniolf Power 
AUl port serial ports port (RJ-45) swilch 


(DB-15)  (DB-60) Auxiliary port 
(Ru-45) 


The router that you select for your WAN connection must offer the interfaces that will support 
your WAN connection. 


Typical interfaces that are found on a Cisco router (along with the typical WAN connections) 
support the following: 


Asynchronous serial: Used with a modem, supports asynchronous dialup connections 
Synchronous serial: Supports connections such as leased lines and Frame Relay 
Ethernet: Supports Broadband connections 

BRI: Supports ISDN BRI connections 


Channelized T1 or E1: Supports connections such as leased lines, dialup, ISDN PRI, and 
Frame Relay 


Fixed-configuration routers are available with predetermined fixed LAN and WAN interface 
options. Fixed-configuration routers do not require additional WICs or network modules. 
However, after they are purchased, the interfaces available are limited to only those that were 
factory installed. 
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Interfaces: Modular Interface 


This topic describes various modular WAN connection types. When selecting interfaces to 
support a WAN, you can choose between fixed interfaces and modular interfaces. 


Determining Appropriate Modular 
Interfaces 


Set rE 


| Modular-Configuration Router 


8-Port A/S Serial Module 
pai Ati s=aatt ttf) ll s=2itH ee | Hd 


ee) TENET) 


er 
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If you select a fixed-configuration router, you receive the router with the interfaces already 
installed on the box. However, you cannot add or change interfaces on a fixed-configuration 
router. 


Modular routers and access servers such as the Cisco 3600 Series are built with one or more 
slots that allow you to customize the box. You can determine the types of interfaces on the 
router by selecting various feature cards, network modules, or WICs to install. Although 
modular routers require adding equipment to the physical router, they are more scalable as your 
network grows and your needs change. 
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Network Cabling and Assembly 


This topic describes the cables that are used to connect the network components. 


Assembling the Network 


Ceritrat Site, 
Headquarters, 
Emerprse 


monte 
bi sers : 
= 


Packet-Switched, 
Analog, ISDN, and 
Internet Services 


Sena! 

ISON PRO 

Frame Relay 

ISDN BRI a ee 

POTS Remote Site, 


Branch Office 
Asynchronous aa 
Modem ? 


The figure illustrates the cable connections that are available for various WAN types. These 
include: 


1. Asynchronous connections: Asynchronous connections require RJ-11 cables attached 
from the modem line port to the telephone company jack. If you are using an external 
modem attached to a Cisco router, you must also use a Cisco EIA/TIA-232 cable to attach 
the modem to the serial interface of the router. The DB-60 end of the cable connects to the 
router. The DB-25 end attaches to the modem. 


2. ISDN BRI: ISDN BRI connection interfaces require RJ-45 cables to connect the BRI 
interface to the ISDN network. The BRI modules and BRI WICs are available with either 
an S or T interface that requires an external NT-1 or a U interface with a built-in NT-1. 


3. ISDN PRI (North America): Channelized T1 (CT1)/PRI modules are available with or 
without a built-in CSU. If you use an external CSU, attach a female DB-15 cable to the 
interface of the router. The other end of the straight-through cable will attach to the CSU, 
which in turn attaches to the ISDN network. Routers with internal CSU modules attach 
directly to the ISDN network with a standard RJ-48 connector. 


4. ISDN PRI (Europe): Channelized El (CE1)/PRI modules are available with balanced and 
unbalanced interfaces. CE1/PRI-balanced modules provide a 120-ohm E1 interface for 
network connections. The unbalanced modules provide a 75-ohm E1 interface for network 
connections. Four serial cables are available from Cisco for the CE1/PRI module. All four 
cables have DB-15 connectors on the router end and DNC, DB-15, twinaxial, or RJ-45 
connectors on the network end. 
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5. Frame Relay: If you establish a Frame Relay serial connection, Cisco routers support the 
following signaling standards: EIA/TIA-232, EIA/TIA-449, V.35, X.21, and EIA-530. 
Cisco supplies a DB-60 shielded serial transition cable with the appropriate connector for 
the standard that you specify. The router end of the shielded serial transition cable has a 
DB-60 connector, which connects to the DB-60 port on the serial interface of the router. 
The other end of the serial transition cable varies according to the standard that you 


specify. 


6. Broadband: Broadband connections will generally require an Ethernet interface port and 
service provider equipment. Data service is generally provided through equipment from the 
provider and converted to RJ-45 by the customer. 


Note You can use the RJ-48 and DB-15 cables for Frame Relay connections. They can be 
plugged into a T1 carrier interface. After a channel group is configured, Frame Relay 
encapsulation can be run over the connection. 
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Verification of Network Installation 


This topic demonstrates how to use the LEDs on your Cisco equipment to verify proper 
installation. 


Verifying Central Site Installation 


Enable LED MICA Module Bank LEDs 


CN/LP, RXC, RXD, 
TXC, and TXD LEDs 


Remote Alarm, Local Alarm, Loopback, AteD” LED 


and Carrier Detect LEDs 


Each central site router has LED displays that allow you to verify that the router components 
are installed and functioning properly. 


Note For LED information specific to your router, refer to the installation and configuration guide 
that accompanied your router. 


On the Cisco 3600 Series router, the LEDs on the front of the router enable you to determine 
router performance and operation. The READY LED indicates that a functional module has 
been installed in the indicated slot. If the LED is off the slot is empty or the module is not 
functional. The ACTIVE LED blinks to indicate network activity on the module that is 
installed in the indicated slot. 


All network modules have an ENABLE (EN) LED. The ENABLE LED indicates that the 
module has passed its self-tests and is available to the router. 


Each Ethernet port has two LEDs. The ACTIVITY (ACT) LED indicates that the router is 
sending or receiving Ethernet transmissions. The LINK LED indicates that the Ethernet port is 
receiving the link integrity signal from the hub (1OBASE-T only). 
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Each PRI network module has four LEDs in addition to the enable LED. These LEDs are: 

= REMOTE ALARM: Designates a remote alarm condition 

m= LOCAL ALARM: Designates a local alarm condition 

= LOOPBACK: Designates a loopback condition 

= CARRIER DETECT: Specifies that you received the carrier on the telephone company 
link 


Digital modem modules have five LEDs in addition to the ENABLE LED, one for each Modem 
ISDN channel aggregation (MICA) technologies module bank. The LEDs blink during 
initialization. After the ENABLE LED comes on, the MICA module LEDs indicate that the 
corresponding MICA module is functioning. If a MICA module fails its diagnostics, or if no 
MICA module is installed in a position, its LED remains off 

Each port on the serial network module has additional LEDs. These LEDs are: 

m= CN/LP: Connect when green, loopback when yellow 

m RXC: Receive clock 

m RXD: Receive activity 

m= TXC: Transmit clock 

= TXD: Transmit activity 
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Verification of Branch Office Installation 


This topic discusses the meaning of various LEDs on a Cisco router. Indicator LEDs on a router 
enable you to verify that the components are installed and functioning correctly. 


Verifying Branch Office Site Installation 


System POWER _ 
( 
System OK 


BF! U part 


WIC 2AIS 


The system POWER and OK LEDs indicate the 
router is on and has successfully booted 


Each branch office and telecommuter router has LED displays that allow you to verify that the 
router components are installed and functioning properly. 


Note For LED information specific to your router, refer to the installation and configuration guide 
that accompanied your router. 


On Cisco 1721 routers, you can use the LEDs on the front of the router to determine router 
performance and operation. The LEDs are as follows: 


m= PWR: The green system POWER LED indicates the router is turned on and DC power is 
being supplied. 


m System OK: The green system OK LED indicates the router has successfully booted. This 
LED blinks while in the boot cycle. 


m ETH ACT: The green LAN ACTIVITY LED indicates that data is being sent to or 
received from the local Ethernet LAN. 


m= ETH COL: A flashing yellow LAN COLLISION LED indicates frame collisions on the 


local Ethernet LAN. 

= WICO ACT/CHO: The green WIC CONNECTION LED indicates an active connection on 
this WIC port. 

= WICO ACT/CH1: The green WIC CONNECTION LED indicates an active connection on 
this WIC port. 
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= WIC1 ACT/CHO: The green WIC CONNECTION LED indicates an active connection on 
this WIC port. 


m= WIC1 ACT/CH1: The green WIC CONNECTION LED indicates an active connection on 
this WIC port. 


The serial WIC has several LEDs that indicate data is being sent over the WIC serial ports. 


The ISDN BRI U interface card has several LEDs that indicate data is being sent over the 
WAN ISDN port. 
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Verification of SOHO Installation 


This topic discusses the meaning of various lights on Cisco 800 Series routers. Indicator LEDs 
on arouter enable you to verify that the components are installed and functioning correctly. 


Verifying SOHO Site Installation 
ee A 


Ethernet ports ISDN BRI U port Telephore ports 
Comvect E theme Conmect ta ISON Connect to istephone 
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< (tor Ethernet port @) 
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Supply 


Each SOHO router has LED displays that allow you to verify that the router components are 
installed and functioning properly. 


Note For LED information specific to your router, refer to the installation and configuration guide 
that accompanied your router. 
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On the Cisco 800 Series routers, you can use the LEDs on the back of the router to determine 
router performance and operation. The LEDs are shown in the table. 


LED Function of 800 Series Router 


LED Color Function 


OK Green On when power is supplied to the router and when the router completes 
the self-test procedure and begins operating. 


NT-1 Green Not applicable for Cisco 801 and 803 routers. 

On when the internal NT-1 and the ISDN switch are synchronized. 
Blinks when the internal NT-1 and the ISDN switch are attempting to 
synchronize. 


LINE Green On when the ISDN interface and the ISDN terminal device are 
synchronized. 


LAN Green On when packets are sent to or received from an Ethernet port. 
LAN RXD Green Blinks when an Ethernet port receives a packet. 

LAN TXD Green Blinks when an Ethernet port sends a packet. 

LK@, LK1, Green Cisco 803 and 804 routers only. 

LK2, LK3 On when the Ethernet device is connected. 


Off when the Ethernet device is not connected. 
Blinks when the connection has a problem. 


ETHERNET | Green Cisco 804 IDSL routers only. 

1,2,3,4 On when the Ethernet device is connected. 
Off when the Ethernet device is not connected. 
Blinks when the connection has a problem. 


CH1 Orange Blinks when placing or receiving a call on the first ISDN B channel. 
On when a call is connected on the first ISDN B channel. 
For IDSL routers, see the note following this table. 


CH1 RXD Orange Blinks when packets are received from the first ISDN B channel. 
CH1 TXD Orange Blinks when packets are sent from the first ISDN B channel. 
CH2 Orange Blinks when placing or receiving a call on the second ISDN B channel. 


On when a call is connected on the second ISDN B channel. 
For IDSL routers, see the note following this table. 


CH2 RXD Orange Blinks when packets are received from the second ISDN B channel. 
CH2 TXD Orange Blinks when packets are sent from the second ISDN B channel. 
PH1, PH2 Green Cisco 803 and 804 routers only. 


On when basic telephone service is in use. 


LINK Green On back panel of the Cisco 801, 802, and 802 IDSL routers only. 
On when Ethernet device is connected. 
Blinks when the connection has a problem. 


Note On Cisco 802 IDSL and Cisco 804 IDSL routers, either CH1 or CH2 is on if the router has an 
active data connection and the line speed is 64 kbps. CH1 and CH2 are both on if the router 
has an active data connection and the line speed is 128 or 144 kbps. 


1-64 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright # 2004, Cisco Systems, Inc. 


Products with Cisco Product Selection Tools 


This topic discusses the Cisco tools for use in selecting Cisco products. 


Selecting Products with Cisco Product 
Selection Tools 


Gass Sraties a a 
6 


For up-to-date information, use the online tools at 


http://www.cisco.com/en/US/products/hw/routers/index.html _ 
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To assist you with product selection, Cisco has extensive documentation and product 


specifications on its website at http:/Awww.cisco.com/en/US/products/hw/routers/index.html. — 


You will also find product selection and configuration tools on the site. These tools are 
designed to help you determine the router that best meets your requirements and how to 
configure it. 


Because technology and product offerings change frequently, access this website for the most 
up-to-date product information. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 


° The type of Cisco Systems router used will vary 
depending on where it will be used. 


° Select the appropriate fixed and modular 
interfaces. 


¢ Select the appropriate cables to build an 
internetwork. 


* Each router has LED displays that allow you to 
verify that the router components are installed and 
functioning properly. 


BCRAN v2.1—1-10 


Next Steps 
For the associated lab exercise, refer to the following section of the course Lab Guide: 


m Lab 1-1: Using the BCRAN Lab Equipment 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


Q6) 
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Which of these Cisco routers can offer the highest port density? 


A) 
B) 
C) 
D) 


Cisco 1700 Series 
Cisco 7200 Series 
Cisco 2600 Series 
Cisco 3600 Series 


Which of these router interfaces support the Frame Relay connection? 


A) 
B) 
C) 
D) 


synchronous serial 
Ethernet 
BRI 


asynchronous serial 


What is an advantage of a fixed-configuration router? 


A) 
B) 
C) 


D) 


You can purchase additional interfaces to expand this router. 
You receive the router with the interfaces you requested. 


You will be able to change the configuration in the future when your needs 
change. 


Your fixed-configuration router can easily be upgraded in the future. 


Asynchronous modem connections require which of these cables? 


A) 
B) 
C) 
D) 


RJ-11 cable 
RJ-45 cable 
DB-15 cable 


fiber-optic cable 


How many indicator LEDs does each Ethernet port typically have? 


A) 
B) 
C) 
D) 


1 


2 
3 
4 


Which indicator LED on a router typically indicates that the router is turned on? 


A) 
B) 
C) 
D) 


The green system POWER LED 

The green LAN ACTIVITY LED 

The green system OK LED 

A flashing yellow LAN COLLISION LED 
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Q7) What does it typically mean when the CHI RXD indicator LED is orange and 
blinking? 
A) the connection has a problem 
B) packets are being received from the first ISDN B channel 
C) packets are being received from the second ISDN B channel 
D) packets are being received from the third ISDN B channel 
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Quiz Answer Key 


Ql) B 

Relates to: Cisco Remote Access Solutions 
Q2) A 

Relates to: Interfaces: Fixed Interface 
Q3)  B 

Relates to: Interfaces: Modular Interface 
Q4) A 

Relates to: Network Cabling and Assembly 
Q5)  B 

Relates to: Verification of Network Installation 
Q6) A 

Relates to: Verification of Branch Office Installation 
Q7) B 


Relates to: Verification of SOHO Installation 
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Module 2 | 


Supporting Asynchronous 
Modems 


Overview 


On completion of this module, you will have configured remote connections via asynchronous 
modems. 


Objectives 


Upon completing this module, you will be able to 


Outline 


Configure an access server for modem connectivity 
Configure a modem manually for basic asynchronous operations via a reverse Telnet 
Configure a router to discover the modem type automatically and configure it 


Configure the router auxiliary port and modem to support remote privileged EXEC access 
for configuration and remote diagnostics 


The module contains these lessons: 


Connecting and Operating Modems 
Configuring Modems 
Autoconfiguring Modems 


Verifying and Debugging Modem Autoconfiguration 
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Connecting and Operating 
Modems 


Overview 


Modem connections can provide dialup connectivity to a router for out-of-band administration 
and troubleshooting. This feature allows for a remote connection to a router in the event of 
primary connection failure. This connection can also be used for dial-out networking and for 
site-to-site communication. This lesson provides an overview of modem connections and their 
operation. 


Relevance 


Using modems is an excellent option for out-of-band management of Cisco Systems routers or 
dial-in connectivity. You should understand modem operation before you configure these 
services. 


Objectives 
Upon completing this lesson, you will be able to: 
m™ Describe the modulation and demodulation process of transmitting and sending data 
m™ Select the appropriate cable for DTE and DCE connections 
m List and describe modem modulation standards both proprietary and public 


= Troubleshoot speed mismatch in modem communication 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 


2-4 


This lesson includes these topics: 


Overview 

Modem Connections and Operation 
The DTE-DCE Interface 

Modem Signaling—Data 

Modem Signaling—Control 


Modem Control Example 


Modem Operation 

DTE-to-DTE Wiring 

RJ-45 Wiring and Cables 

Working Connections 

Error Control and Data Compression Standards 
Modem Modulation and Standards 

Modem Speed and Compression 

Theoretical Speeds 


Summary 


Quiz 
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Modem Connections and Operation 


This topic describes modulation and demodulation. 


A Typical Modem Connection 
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A modem converts (modulates) outgoing digital signals from a computer to analog signals for a 
conventional copper twisted-pair telephone line. When the signal reaches its destination, the 
destination modem reconverts (demodulates) the incoming analog signal to a digital signal. 


The outgoing analog signal generated by the modem is propagated over telephone lines until it 
reaches a switch at the telco office. A device called a codec converts (codes) the analog signal 
into a digital format called pulse code modulation (PCM). This signal is then routed over the 
digital networks of the telco until the signal reaches the destination telco switch, where another 
codec reconverts (decodes) the digital signal to analog. 


The advantage of using analog lines is that no special lines or equipment are required. 
However, the public switched telephone network (PSTN) local loops are all analog and are 
prone to line noise and lower data rates. 


Each analog-to-digital conversion introduces noise into the signal. Amplifying the signal over 
long distances would also amplify any noise in the signal. Amplifying digital signals simply 
means recreating the on or off'state of the signal, which drastically reduces line noise. For this 
reason, telco providers choose to carry data in a digital format. In telecommunications 
terminology, a digital amplifier is called a regenerative repeater or simply a repeater. 


Maximum data rate is usually limited to between 28.8 and 56 kbps. However, the maximum 56 
kbps rate is never achieved because of current regulations and analog links. 


Note In North America, current regulations limit modem speeds to 53 kbps. 
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The DTE-DCE Interface 


This topic describes DTE and DCE. 


The DTE-DCE Interface 


1 
EIA/TIA-232 


om @ 


DCE 


Data Terminal Equipment 
Data Communications Equipment 


End devices, such as PCs, workstations, mainframe computers, and routers, are referred to as 
data terminal equipment. DTEs communicate with each other through data communications 
equipment such as modems, CSUs, and DSUs. (The EIA defines DCE as data communications 
equipment. The International Telecommunication Union-Telecommunication Standardization 
Sector [ITU-T, formerly known as CCITT] defines DCE as data circuit-terminating equipment.) 


The EIA/TIA-232 standard defines the interface between DTE and DCE. 


The end-to-end communication path between two DTEs consists of three segments (refer to the 
figure shown): DTE-DCE, DCE-DCE, and DCE-DTE. You must administer a set of cabling 
and configuration elements for each segment. 


Note The EIA/TIA-232-C (formerly known as RS-232-C) standard is the most commonly used 
asynchronous interface for data communications in North America. The RS-232 standard 
was first issued in 1962, and its third revision, RS-232-C, was issued in August 1969. 
Although the ubiquitous D-shaped 25-pin connector (DB-25) has become the market 
standard for EIA/TIA-232-C interfaces, it was not specified in the original RS-232-C 
standard. Many EIA/TIA-232-C devices use other connectors, such as the DB-9 or 
RJ-11/RJ-45 modular connectors. X.21 is a European standard that defines the DCE-DTE 
interface. For more information on these and other standards, refer to Cisco.com or any 
reliable data communications reference text. 
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Modem Signaling—Data 


This topic describes modem signaling to transmit data. 


Modem Signaling—Data 


Data TxD —_————— 
Transfer RxD ; ~——__—— 


DB-25 Pins 


Although a DB-25 serial connector has 25 pins, only 8 pins are actually used for connecting an 
access server (DTE) to a modem (DCE). The other 17 signals are not interesting, and are 
ignored. You can group the eight interesting signals into three categories according to their 
functionality: 


m= Data transfer 
m Hardware flow control 


™ Modem control 


The figure shows the data transfer group: 
m= TxD: Transmit data. The DTE transmits data to the DCE. 
m RxD: Receive data. The DTE receives data from the DCE. 


= GRD: Ground (pin 7). This pin provides the ground reference for voltage measurements. 


Note The signals and pins shown are for the EIA/TIA -232 specifications. 
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Modem Signaling—Control 


This topic discusses the modem signaling control group. 


Modem Signaling—Control 


DTE 


Flow 
Control 


Modem 


Control 


DB-25 Pins 
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Modem control consists of several signals between the DTE and DCE that are used to initiate, 
terminate, and monitor the status of the connection. 


The figure shows the remaining two groups of interesting signals between a DTE device and a 
DCE device: 
= Hardware flow control 


— __ RTS: Request To Send. The DTE has buffers that are available to receive from the 
DCE. 


— CTS: Clear To Send. The DCE has buffers that are available to take data from the 
DTE. 


= Modem control 


—  DTR: Data terminal ready. The DTE indicates to the DCE that it can accept an 
incoming call. 


— CD: Carrier Detect (also referred to as data carrier detect [DCD]). The DCE has 
established a carrier signal with the remote DCE. 


— DSR: Data set ready (pin 6). The DCE is ready for use. This pin is not used on 
modem connections. 
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Modem Control Example 


This topic describes how to terminate a modem connection. 


Terminating a Modem Connection 


DTE-Initiated —=) 


* Router drops DTR. 


* Modem must be programmed to terminate 
connection on loss of DTR and restore to saved 


settings. , 
DCE-Initiated , 
* Router detects Carrier Detect (CD) low and 
terminates connection. 


¢ Modem must be programmed so that CD reflects 
the state of the carrier. 


The figure highlights the modem control function for terminating a connection. Either the DTE 
device or the DCE device may signal for the connection to be terminated. The signals that are 
used for this function are DTR from the DTE or the modem recognizing the loss of the CD 
signal. 

When modem control is not configured properly, the following symptoms may occur: 

m= “The modem will not hang up when I quit my session.” DTR is not dropped or recognized. 


m= “I end up ina session belonging to someone else.” CD is not dropped or recognized. 
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Modem Operation 


This topic describes basic modem operations. 


Modem Operation 
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Modems perform their basic operations in one direction: 
= Outgoing data from an originating DTE comes into the sending modem via the TxD pin. 


m Ifthe sending the modem buffer is nearly full, the modem can control flow (via hardware) 
by lowering the CTS signal, thereby instructing the DTE not to use TxD. 


m The data is compressed using a proper algorithm (Microcom Networking Protocol-5 
[MNP-5] or V.42dis), which was mutually agreed upon between the two communicating 
modems when they connected initially. 


m The data is then packetized, where windowing, checksum, error control (using MNP-4 or 
Link Access Procedure for Modems [LAPM]), and retransmission are performed. 


Note In this context, the term packetized does not refer to an IP packet or Layer 3 protocol data 
unit (PDU). Packetization and compression are options. 


m= The digital data is modulated into analog signals and sent out through the telephone 
network. 


m When the data reaches the receiving modem, it goes through the same steps in reverse 
order. The signal is demodulated, and the data is depacketized, decompressed, and 
delivered to the destination DTE. The DTE can use RTS to indicate that it is unable to 
receive data on the RxD pin. 
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DTE-to-DTE Wiring 


This topic describes the pinout of a null modem cable. 


DTE-to-DTE Wiring 


Data 
Transfer 


Hardware boi 
Flow Control | ers 


Modem 
Control 


Null Modem Cable 
(with DB-25 Connectors) 
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When two DTE devices, such as an access server and a terminal, are near each other, connect 
them directly without going through a telephone network and two modems. An ordinary 
EIA/TIA-232 cable will not work in this case, because both DTE devices transmit on the TxD 
lead (pin 2), and both expect input on the RxD lead (pin 3). A null modem cable is required for 
the DTE-to-DTE connection. 


Null modems crisscross DB-25 pins 2 and 3 and other corresponding pins (as shown in the 
figure) so that the two DTE devices can communicate. You can configure some devices to 
operate either as a DTE or a DCE. Configuring a device as a DCE usually means that it 
receives data on pin 2 and transmits data on pin 3. For example, many serial printers are 
configured as DCE devices so that you can connect them directly to a DTE (a PC or a terminal 
server) with an ordinary EIA/TIA-232 cable. This practice eliminates the need for a null 
modem connection. 
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RJ-45 Wiring and Cables 


This topic describes the Cisco implementation of using RJ-45 ports for various connections. 


RJ-45 Wiring and Cables 


Cisco DTE 
Device (Aux) 


Straight RJ-45 Pins 
End and 
Connectors Signals Connectors 
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Cisco uses RJ-45 ports and connectors for console, auxiliary, and asynchronous port 
connections. The specific pinouts to be used on an RJ-45 interface for EIA-232 are not defined 
by any standards. Cisco defines the RJ-45 pinouts (shown in the figure) as DTE. 


Cabling from the access server port (RJ-45) to an external device, such as a modem or terminal, 
requires the use of two cabling components: 


m RJ-45-to-RJ-45 cable: Can be either a rollover cable (reverse pins 1-8, 2-7, 3-6, 4-5) or a 
straight-through cable (1-1, 2-2, and so forth). To check whether a cable is straight-through 
or rolled, hold the two connectors (the two ends of the cable) side by side. With the keys at 
the back and the pins up, compare them by inspecting the color-coded wires inside the 
connector. If the wires use the same colors on the same pins, it is a straight-through cable. 
If the wires are a mirror image of each other, it is a rolled cable. The octal cable that is used 
to connect to the asynchronous ports is the equivalent of a rolled cable. 


m RJ-45-to-DB-25 adapter: Also straight-through or rolled. 
— Male DTE (MDTE) or female DTE (FDTE) adapter. Straight-through. 
— Male DCE (MDCE) or female DCE (FDCE) adapter. Rolled. 


— MMOD (male modem-style) adapter. Rolled. This adapter supports only modems 
that are modified from MDCE connectors by wiring DB-25 pin 8 to DSR, instead of 
pin 6. 
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Working Connections 


This topic describes how to connect devices to a Cisco router. 


Working Connections 


Rolled + straight = rolled overall 


DB-9/25 | 
eS + Rolled RJ-45 Cable +000 -» mee | 


Aux/Console Port (Straight) DB-S 


(DTE) Terminal 
(DTE) 


Rolled + rolled = straight overall 


DB 4 
— « Rolled RJ-45 Cable Adapter £ 


Aux/Console Port 
(DTE) 
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This figure displays the working connections between an access server and various types of end 
devices. 


The auxiliary and console ports are configured as DTE devices on Cisco access servers. 
Terminals are also DTE devices. As noted earlier, two DTE devices cannot be directly 
connected unless the signals are rolled exactly one time. You must, therefore, roll the pins in 
either the cable or the DB-25 adapters, but not both. The “formula for success” is as follows: 


m DTE +rolled RJ-45 cable + straight DB-25 adapter + DTE = OK 
m DTE + straight RJ-45 cable + rolled DB-25 adapter + DTE = OK 


When connecting a DTE to a DCE, however, you should have either no rolls or two rolls in the 
cable and the connector. The “formula for success” is as follows: 


m DTE + rolled RJ-45 cable + rolled DB-25 adapter + DCE = OK 
m DTE + straight RJ-45 cable + straight DB-25 adapter + DCE = OK 


The part number for the rolled RJ-45-to-RJ-45 cable is CAB-S500RJ. 


When you order access servers with asynchronous ports, you must order the corresponding 
cable accessories. Order one CAB-OCTAL-KIT (an 8-lead octal cable and eight male DB-25 
modem connectors) for each 68-pin asynchronous connector on the access server. If the modem 
uses an RJ-45 connector, order one CAB-OCTAL-ASYNC (a rolled 8-lead octal cable with RJ- 
45 connectors). Special adapters might be required. 


Note Connecting a modem to the console port of a router is a security risk because it initially has 
no protection or security features enabled. 
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Cisco routers typically ship with a console and auxiliary port cabling kit that may include the 


following components: 


m RJ-45-to RJ-45 rollover cable 


m RJ-45-to-DB-9 FDTE adapter (labeled TERMINAL)—primarily used to connect to a PC 


being used as a console terminal 


m RJ-45-to-DB-25 FDTE adapter (labeled TERMINAL)—can be used to connect a computer 
terminal or an older computer to the console or auxiliary port 


m RJ-45-to-DB-25 MDCE adapter (labeled MODEM)—used to connect the auxiliary port to 


a modem. 


The table presents the port types for console and auxiliary ports on Cisco routers. 


DB-25 RJ-45 
Console port DCE DTE* 
Auxiliary port DTE DTE 


*DCE in the Cisco 1700 Series 
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Error Control and Data Compression Standards 


This topic describes error control and data compression. 


Error Control and Data Compression 
Standards 


oat 
Error Detection/Correction Data Compression 
¢ Microcom Networking e MNP-5: = 2:1 ratio 
Protocol (MNP) - V.42bis: 4:1 ratio 
— MNP 2-4 in public domain - V.44: 6:1 ratio 
— MNP 10 for cellular 
* CCITT V.42 
—LAPM 
— MNP 4 


BCRAN v2.1—2-11 


Error detection and correction methods have been developed to ensure data integrity at any 
speed. Some widely used methods include MNP and LAPM. 


Compression algorithms typically require error-correction algorithms. So compression under 
V.42bis and MNP-S is usually run over LAPM or MNP-4. V.42 and V.42bis are not limited to 
V.32 and V.34 modems. They can also be implemented in lower-speed equipment. The 4:1 
compression ratio provided by V.42bis is theoretical and rarely achieved. 


V.44 is the newest compression standard that is designed to be used by V.90. V.44 offers up to 
a 6:1 compression ratio, compared to the 4:1 maximum compression from V.42bis. This 20-to- 
60 percent increase in throughput is due to a new compression algorithm that is optimized for 
typical web content. 


The modern data compression technique is analogous to the video-compression or disk-packing 
algorithms that are used in computers. The compression efficiency is highly dependent on data 
content. Some data (such as ASCII files) compresses readily; other data compresses very little. 


Some application software supports data compression. However, it is usually better to let the 
modem compress transmitted data. Data compression algorithms that operate in modem 
hardware are faster than those performed by host software. If two modems have agreed on 
V.42bis compression, you must disable the compression capability of the application. This 
modem-provided compression means transferring data at a higher speed on the interface 
between the DTE and the DCE. 
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Modem Modulation and Standards 


This topic describes modem modulation standards. 


2-16 


Modem Modulation Standards 


DCE case +———+ Gag oce 


Ay 


ITU standards: Proprietary methods: 
« V.22: 1200 bps * V.32 terbo: 19.2 kbps 
° V.22bis: 2400 bps ° V.fast: 28.8 kbps 
« V.32: 9600 bps « V.FC: 28.8 kbps 
° V.32bis: 14.4 kbps ° K56Flex: 56 kbps 
° V.34: 28.8 kbps ° X2: 56 kbps 
° V.34: annex 1201H: 33.6 kbps 
e V.90: 56 kbps downstream, 33.6 kbps upstream 


e V.92: 56 kbps downstream, 48 kbps upstream 
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The function of a modem is to convert digital signals (DTE to DCE) into analog signals (DCE 
to DCE), and vice versa. The ITU-T has defined and introduced several modem modulation 
standards over the years. However, various modem manufacturers have also marketed their 
own proprietary versions of modems. Interoperability among various types of modems can be a 
challenge, sometimes even for modems from the same vendor. 


Some of the more commonly used standards are: 


The V.32bis standard supports 14.4-kbps transmit (downstream) and receive (upstream) 
connections. It was finalized in July 1991. 


The V.34 standard supports 28.8-kbps transmit and receive connections. It was finalized in 
June 1994. 


The V.34 annex 12 standard supports 33.6-kbps transmit and receive operation. If 
compression is used, up to 133.8 kbps is possible if the DTE-to-DCE connection can 
support this speed. 


The V.90 standard support connections with 56-kbps transmit and up to 33.6-kbps receive. 
Most modem manufacturers have a V.90 product, even though the actual maximum data 
rate allowed by government regulating bodies is usually 53 kbps. 


The V.92 standard support connections with 56-kbps transmit and up to 48-kbps receive. It 
offers improved features such as Quick Connect, which dramatically improves the speed at 
which users can connect with an Internet service provider (ISP), and Modem on Hold, 
which enables users to suspend and reactivate their dialup modem connection to either 
receive or initiate a telephone call. V.92 and its companion compression standard, V.44, 
were officially adopted by the ITU in July 2000. 
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With proper configuration, V.90 modems can intelligently adapt to line conditions during a 
transition. Two communicating modems will initially attempt to set up a call at 56.6 kbps. If 
line conditions do not allow a transmission at this speed, the modems fall back to the next- 
highest speed in steps of 2.4 kbps (possibly down to 2.4 kbps if necessary). Alternatively, if 
line conditions improve, the modems can increase the speed. 


If you are using two V.90 modems between two routers, the maximum speed will be no greater 
than 33.6 kbps. Modems operating at 33.6 kbps function under the assumption that the 
connection between the user and the ISP is totally analog. Modems operating at 56 kbps treat 
the telephone network as a partially digital connection. In fact, the connection between the 
PSTN and the ISP must be digital to support a data transfer rate greater than 33.6 kbps. 


The codec located at the PSTN converts analog signals into digital pulses and vice versa. These 
digital pulses, or PCM, are transmitted at a rate of 64 kbps. A 56-kbps modem transmits and 
receives data asymmetrically. The upstream is limited to 33.6 kbps. The downstream is limited 
to 53333 bps in the United States by the U.S. Federal Communications Commission (FCC). 
Downstream data flow is the advantage of 56 kbps and PCM. The conversion from digital to 
analog causes less complication for a PCM modem (a 56-kbps modem) than the conversion 
from analog to digital. A 56-kbps modem cannot establish a transfer rate greater than 33.6 kbps 
downstream if more than one conversion exists on the telephone network between the ISP and 
user. 


Older modems negotiate a fixed transmission rate during handshaking, but after that, 
communications continue at the same speed. If line quality deteriorates below a certain 
threshold, the connection is lost. Older modems cannot take advantage of any increased 
bandwidth later, when the line quality improves. 


The access server is unaware of modulations because it is directly involved with only DTE-to- 
DCE communication. However, the access server-to-modem speed must account for 
modulation speed and compression ratio for optimal end-to-end performance. 
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Modem Speed and Compression 


This topic describes how to calculate true modem speed with compression. 
Modem Speeds and Compression 


3:31 31 
Compression Compression 


——> 
115.2 kbps 115.2 kbps 


The speeds and compression rations shown 
assume ideal conditions. 
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The difference between the DCE-to-DCE modulation speed and DTE-to-DCE speed is often a 
source of confusion. The former represents how fast the modems communicate with each other 
across the telephone network. The latter represents how fast your computer communicates with 
the attached modem. 


In an ideal situation, to gain full benefits from compression, the DTE (for example, a PC) must 
send to the DCE (a modem) at speeds matching the potential compression ratio. However, the 
EIA/TIA-232 serial interface commonly found on PCs and some Macintosh computers (the 
COM port) might operate considerably more slowly than the full potential speed of V.34. The 
problem is that some PCs and Macs use the EIA/TIA-232 serial interface with a combination of 
Universal Asynchronous Receiver/Transmitters (UARTs) and character-oriented 
communications software packages, which are not reliable at higher data rates. Ina PC, DTE 
should be set to clock the modem at its fastest rate to take advantage of compression. 


An improperly configured modem might automatically adjust DTE-to-DCE speeds to match the 
established DCE-to-DCE speeds. This state is often called speed mismatch. To avoid speed 
mismatch, you must lock the DTE-to-DCE speed so that it remains constant, as originally 
configured. This speed-locking mechanism is called speed conversion (also known as port-rate 
adjustment or buffered mode). 
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Theoretical Speeds 


This topic describes various theoretical modem speeds. 


Theoretical Speeds 


Maximum Speed with 4:1 
V.42bis Compression 


Bits Per Second 
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This figure displays the maximum theoretical speeds possible for selected modem modulation 
standards. Also displayed are the possible speeds if V.42bis compression is used with the same 
standards. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
ae | 


e Modem connections can provide dialup 
connectivity to a router for out-of-band 
administration and troubleshooting. 


* Modems convert outgoing digital signals to 
analog, and convert incoming analog signals back 


to digital. 


¢ Cisco uses RJ-45 ports and connectors for 
console, auxiliary, and asynchronous port 
connections. 


¢ Various modem standards are used, such as V.34 
and V.90. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


The process of converting an analog signal into a digital format is known as 


A) codec 

B) PCM 

C) modulation 
D) amplification 


Which device is an example of data terminal equipment? 


A) switch 
B) PC 

C) TSU 
D) modem 


Which pin provides the ground reference for modem communication? 


A) 1 
B) 2 
Cc) 3 
Dye - 4 


Which DTE pin indicates to the DCE that it can accept an incoming call? 


A) 4 
B) 6 
Cc) 8 
D) 20 


If you dial into an access server and end up in a session initiated by someone else, what 
is the most likely cause? 


A) DTR not being dropped 
B) CD not implemented 
C) DST not being raised 


D) ground fault occurring in the circuit 
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Q6) 


Q7) 


Q8) 


Q9) 


Q10) 


Qll) 
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If the sending modem buffer is nearly full, the modem can control flow by lowering 


which signal? 


A) 
B) 
C) 
D) 


RTS 
CD 


Which type of cable is used to connect two DTE devices? 


A) null modem 

B) rolled 

C) straight-through 

D) modem 

If you are going to connect a PC to a router auxiliary port, which type of cable should 
you use? 

A) null modem 

B) straight-through 

C) modem 

D) rolled 


Which type of cable is used to connect a modem to the auxiliary port of a Cisco router? 


A) 
B) 
C) 
D) 


null modem 
straight-through 
modem 


rolled 


Which type of file achieves the greatest modem compression? 


A) JPEG 

B) MP3 

C) text 

D) ZIP 

Which ITU modem standard can successfully negotiate a lower speed if line conditions 
deteriorate? 

A) V.92 

B) X2 

C) 56Flex 

D) V.94 
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Q12) What DTE speed must you set to take advantage of compression? 
A) four times the modem speed 
B) the modem speed 
C) half of the modem speed 
D) the highest possible speed that the DTE will support 


Q13) What is the maximum possible speed with the V.90 standard and V.42bis compression? 


A) 224000 
B) 115200 
C) 56000 
D) 38400 
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Quiz Answer Key 


QI): 2 

Relates to: Modem Connections and Operation 
Q2) 8B 

Relates to: The DTE-DCE Interface 
Q3) D 

Relates to: Modem Signaling—Data 
Q4) D 

Relates to: Modem Signaling—Control 
Q5)  B 

Relates to: Modem Control Example 
Q6) Cc 

Relates to: Modem Operation 
Q7) A 

Relates to: DTE-to-DTE Wiring 
Q8) D 

Relates to: Working Connections 
Q9) B 

Relates to: RJ-45 Wiring and Cables 
Q10) c 

Relates to: Error Control and Data Compression Standards 
Qll) A 

Relates to: Modem Modulation and Standards 
Q12) pb 

Relates to: Modem Speed and Compression 
Q13) c 


Relates to: Theoretical Speeds 
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Configuring Modems 


Overview 


This lesson contains descriptions of modem configuration methods and commands. 


Relevance 


Modem configuration is considered to be complex and error prone. If you use modems for dial- 
in, or out-of-band access, this lesson will show you the basics of how to configure your Cisco 
device and modem for that purpose. 


Objectives 
Upon completing this lesson, you will be able to: 
™ Connect toa modem from a router using reverse Telnet 
m Utilize commands to determine line numbering on a Cisco router 
= Configure a modem using standard initialization strings 


= Configure a modem using nonstandard initialization strings 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 


Overview 

Modem Connections 

EXEC Connection Commands 

Sample Output for the show line Command 
Line Types and Numbering 

Interface Asynchronous and Line Configuration 
Basic Modem Configuration 

Standard Modem Commands 

Nonstandard Modem Commands 

Modem Initialization Strings 


Summary 


Quiz 
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Modem Connections 


This topic describes how to connect from a router to a modem. 


Connecting to the Modem 


Forward connection to a router to login 


Basic 
Telephone 
Service 


Reverse Telnet connection a: Ll 
to a modem to configure it panos 
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Cisco routers support both incoming asynchronous line connections (forward connections) and 
outgoing asynchronous line connections (reverse connections). For example, a remote terminal 
user dialing into the router through an asynchronous line makes a forward connection. In a 
reverse connection, a user connects through a router to an attached modem to configure the 
modem. 


A host can make reverse Telnet connections to various types of devices that are attached to a 
Cisco router. Different port numbers (20xx, 40xx, and 60xx) are used because different data 
type and protocol negotiations will take place for different types of devices that are attached to 
the router. 


The remote host must specify a particular TCP port on the router to connect with individual 
lines or to a rotary group. In the lower part of the figure, the remote host makes a reverse Telnet 
connection to the modem using port address 2007. Note that TCP port number 2007 specifies a 
Telnet protocol connection (TCP port 2000) to line 7. The individual line number is added to 
the end of the port number type. 
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The table displays services provided and TCP port numbers for individual lines and rotary 


groups. 


TCP Port Services 


Services Provided 


Base TCP Port for 


Base TCP Port for 


Individual Lines Rotary Groups 
Telnet protocol 2000 3000 
Raw TCP protocol (no Telnet) 4000 5000 
Telnet protocol, binary mode 6000 7000 
XRemote protocol 9000 10000 


Use the transport input command to specify which protocol to allow for connections. For 
example, the transport input all command allows all of the following protocols to be used for 


the connection: 


lat | mop | nasi | none | pad | rlogin | telnet | v120 


Each of these command options can also be specified individually. 
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EXEC Connection Commands 


This topic illustrates an example of the commands that are needed to make a reverse Telnet 
connection from a router to a modem. 


EXEC Connection Commands 


Router>#telnet [host] [port] 


e Makes a connection with the Telnet protocol 
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Use the EXEC commands shown in the figure and the table to initiate and control a reverse 
Telnet terminal session to a modem. 


Telnet-Related Commands 


Command Description 


telnet [hosf] [porf| | Makes a Telnet connection to a host (and optionally to a certain port). You can 
[/debug] specify the target host either by a host name or an IP address. The optional 
debug switch provides useful information about the connection by displaying the 
informational level of logging messages. Additionally, you can simply type the 
name of the host to which you wish to make the connection, and by default, an 
attempt to establish a Telnet session is started. The interface through which the 
connection is made provides the source IP address for that connection. 


disconnect Disconnects the specified connection or the most recent connection if not 
[session-number] | specified. 


Ctrl-Shift-6 x To suspend the current session, simultaneously press the Ctrl, Shift, and 6 
keys, followed by the x key. 
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Some additional commands that are useful for controlling and using remote connections 
include those shown in this table. 


Additional Telnet-Related EXEC Commands 


Command Description 

show session Displays the current connections (sessions) for this user. The older version of this 
command was the where command. 

show users Displays all current users and their ports. 

clear line Resets a line/port to an idle state and disconnects any sessions associated with 

[number] that line. 
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Sample Output for the show line Command 


This topic describes the appropriate commands to use to determine line numbering on various 
Cisco routers. 


Sample Output for show line 


Rotary 

Group # 
Autoselect 

State 


Access 
Class 


In/Out 


a4 


iinet 


Modem 
Setting 


Absolute ——»!4} 


Line 


Number Number 


tie i ~ : : of TCP 
Line is we ~~ {Connections 
Speed ee i Made 


PEtiitit a tests i 2) 


This is 


vty2 
(3rd vty) 
Line 20 


You can use the show line command to display all types of lines and the status of each line. 
The command also provides useful information about modem control and asynchronous port 
configuration. The show line /ine-number command displays detailed information on the 
specified line, which includes some useful data such as baud rate, modem state, and modem 
hardware state. 
The columns in the display are interpreted as follows: 
= Line state: 

= A: Active. 

= I: Inactive. 

—  *; Line is currently in use. 


m= TTY: Line number. In this case, 17. 


m Typ: Type of line. In this case, VTY indicates a vty that is active, in asynchronous mode, 
denoted by the preceding A. Other possible values are CTY (console), AUX (auxiliary 
port), TTY (asynchronous terminal port), and LPT (parallel printer). 


m= Tx/Rx: Transmit rate/receive rate of the line. 


m A: Indicates whether autobaud is configured for the line. A value of F indicates that 
autobaud is configured; a hyphen indicates that it is not configured. 


m= Modem: Type of modem signal that has been configured for the line. Possible values 
include: callin, callout, cts-req, DTR-Act, inout, and RlisCD. 
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= Roty: Rotary group configured for the line. 

= AccO, AcclI: Output or input access list number configured for the line. 

m= Uses: Number of connections established to or from the line since the system was restarted. 
= Noise: Number of times noise has been detected on the line since the system was restarted. 


= Overruns: Hardware (UART) overruns or software buffer overflows, both defined as the 
number of overruns or overflows that have occurred on the specified line since the system 
was restarted. Hardware overruns are buffer overruns indicating that the UART chip has 
received bits from the software faster than it can process them. A software overflow occurs 
when the software has received bits from the hardware faster than it can process them. 
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Line Types and Numbering 


This topic describes the concept of line numbering for reverse Telnet among various router 
platforms. 


Line Types and Numbering 


line = 0 
line=n 
line = last_tty + 1 


line = last_tty + 2+ m |: 


Line numbering varies among router platforms. TTY lines correspond to asynchronous 
interfaces on a one-to-one basis; vty lines are virtual lines that are dynamically assigned to the 
synchronous interfaces. Usually, vty lines are associated with incoming Telnet sessions. 


In the figure shown, m refers to the number of the vty lines. For example, the vty 0 line 
corresponds to line 10 on a router with eight TTY ports (con = line 0, tty = lines 1 through 8, 
aux = line 9, vty = lines 10 through 14). 


Connections to an individual line are most useful when a dial-out modem, parallel printer, or 
serial printer is attached to that router line. To connect to an individual line, the remote host or 
terminal must specify a particular TCP port on the router. If the Telnet protocol is used, that 
port is 2000 plus the line number. For example: 


telnet 131.108.30.40 2001 


This command initiates a Telnet connection to line | (2000 + /). 


The following line types are used: 
= CON: Console port (available on all Cisco routers) 
m TTY: Asynchronous port. 


m AUX: Auxiliary port (available on most Cisco routers except the Cisco 600, 700, 800, 
1000, and 1600 platforms). 


m= VTY: Virtual terminal (for incoming Telnet, local-area transport [LAT], or X.25 packet 
assembler/disassembler [PAD] connections). 
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Interface Asynchronous and Line Configuration 


2-34 


This topic describes line configuration and asynchronous interface configuration. 


Interface Asynchronous and Line 
Configuration 


Logical Configuration 

Router (oonfig)finterface ssyne 6 

Router (config-it)} #encapsulation ppp 

Router (confiq-if)#asyne dynamic address 

Router (config-if) peer default ip address 10.2.3.4 


Router (config-if) #async mode interactive 
Router (config-if) #ppp authentication chap 


Physical Configuration 


Router (configi#iine 6 
Router (config-line) #login looal 
Router (contig-lane) fmodem inout 


Router (config-line) #spead 115200 
Router (confiq-line) #flewaontrol hardware 
Router (oonfiq-line) #auntoselect ppp 
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There is often confusion about the difference between the interface async and line commands. 
The major difference is that the interface async command lets you configure the protocol 
(logical) aspects of an asynchronous port, while the line command lets you configure the 
physical aspects of the same port. The asyne commands are internal, while the line commands 
configure external characteristics of the configuration. 


For example, you configure the basic modem-related parameters on a router using the line 


command. However, you configure the protocol encapsulation and authentication schemes with 
the interface async command. 
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Basic Modem Configuration 


This topic describes the basic modem configuration on a Cisco router. 


Basic Modem Configuration 


On the router 


seve 


Use modem commands to: (config) #line x 


« Set up hardware flow 
control : ? 
- Lock DTE speed (config~line) tpaseword xxxxx 
a Hang up on DTR low (config-line) #flowcontrol hardware 
« Enable CD to reflect (config-line) #speed 115200 
carrier status (config-line) #transport input all 
(config-line) #stopbits 1 
(config-line) tacden inout 
or 
(config-Line) #noden dialin 


(config-—line) #login 
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To make a successful asynchronous connection, you must configure the modem and the router 
properly. 

A modem must be configured to do the following: 

m Perform hardware flow control. 


™ Lock DTE speed to ensure that the modem will always communicate with the router at the 
specified speed (in this case, 115.2 kbps). The router speed command sets both transmit 
and receive speeds. 


m Hang up when you quit a session. 


m Have the CD signal reflect the carrier state truthfully. 
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On the router, use the commands in the table to configure the line to which the modem is 


attached. 


Line Commands 


Command Description 

exec Allows the EXEC process on this line. 

login Sets a login password on this line. Without the password, no connection is 
allowed. 

password Sets the password to be used when logging in to this line. 

flowcontrol Uses RTS/CTS for flow control. 

hardware 


speed 115200 


Sets the maximum speed (in bits per second) between the modem and the router. 
The speed command sets both the transmit and receive speed. 


transport input all 


Allows all protocols to be passed to the router through this line. 


stopbits 


Sets the number of stop bits transmitted per byte. 


modem inout 


Uses the modem for both incoming and outgoing calls. 


modem dialin 


Uses the modem for incoming calls only (the default). 


Note Software flow control (xon and xoff characters) is not recommended with modems and Cisco 


routers. 
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Standard Modem Commands 


This topic describes how to configure the most common modem commands. 


Standard Modem Commands 
gn | 


Action intended Command 


Saving the configuration AT&W 
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Attention commands for the modem have an AT prefix. In general, each modem vendor has its 
own modem command set that differs from other vendor command sets. 


However, some modem commands are common among most vendors, as described in the table. 


Common Modem Commands 


Command 


AT&F 


Description 


Loads the factory default settings (read only). 


ATSO=1 


Sets the modem to answer all incoming calls automatically on the first ring 
(recommended to be set to 2 for lines with caller ID). 


AT&C1&D3 


Sets up modem control (CD and DTR). 


ATS2=255 


Ignore the +++ command. The +++ characters set the modem to command mode. You 
may need to configure the far-end modem to ignore +++ because the +++ command 
issued to the near-end modem will be transmitted to the far-end modem. The far-end 
modem may interpret it and cause the connection to hang. This is a bug in the far-end 
modem. Many modems are affected. 


ATEO 


When echo off is set, the modem will not echo keystrokes. 


ATMO 


Turns off the external audio output from the modem. 


AT&W 


Saves the modem configuration into nonvolatile memory. 
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Nonstandard Modem Commands 


This topic describes the nonstandard modem commands for proper modem operation. 


Nonstandard Modem Commands 


oe Microcom Hayes USR 


Hardware flow control AT\Q3 AT&K3 AT&H1&R2 


Error correction AT\NG AT&Q5 AT&M4 
Compression AT%C1 AT&Q9 AT&K1 


Show configuration AT\S1 AT&Y ATI4 
Getting help AT&H AT&H AT& 


Saving the configuration AT&W AT&W AT&W 


Many modem commands are not standardized and vary from one vendor to another. The 
following modem configurations and commands are essential for modems that are attached to 
Cisco routers: 


= Hardware flow control: Use CTS and RTS. 


= Lock DTE speed: Sets the serial port of the modem to a fixed data transfer rate. Locking 
the speed between the modem and DTE device prevents the speed from being negotiated 
down during the initial call setup. 


= Error correction: Sets error control. 


= Compression: Uses the best compression algorithm that can be negotiated between the two 
communicating modems. 


= Show configuration: Shows current modem settings. 
= Getting help: Shows all of the AT commands for your specific modem. 
m Saving the configuration: Saves the configuration you just entered in the NVRAM of the 


modem. 


For nonstandard modem commands, refer to the vendor user manual that comes with each 
modem you have purchased. 
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Modem Initialization Strings 


This topic describes modem initialization strings for proper modem operation. 


Modem Initialization Strings 


U.S. Robotics (USR) Courier 
at&fs0=1&c1&d3&h1&r2&b1&Mm4&k1&w 


Hayes Optima/Accura 
at&fs0=1&c1&d2&k3&q9I&w 


Microcom QX4232 series 
at&fs0=1&c1&d2\q3\j0\n6%c1 &w 
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Initialization strings are used to send commands to modems before they dial out. The figure 
displays some examples of modem initialization strings. 


Command strings differ from vendor to vendor, model to model, and even from one firmware 
version to another. Always refer to the user manual from your modem vendor for the proper 
modem commands to use. 


Note A good exercise is to decode the initialization strings in the figure to see exactly what is and 
what is not turned on, and to see how the command strings differ from vendor to vendor. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
ee ie nt: SOO] 


* Configuring a modem is complex task. 


« Several commands can be used to determine line 
numbering on a Cisco router. 


° Initialization strings can differ from vendor to 
vendor and model to model. 
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Quiz 
Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) — Which type of connection does a remote terminal user make when dialing into the 
router through an asynchronous line? 


A) forward connection 
B) reverse connection 
C) moving connection 
D) stopped connection 


Q2) ~~ Which command displays all current users and their ports? 
A) show people 
B) show session 
C) show users 


D) show staples 


Q3) | Which command displays more detailed information on the specified line? 
A) show line detailed 
B) show line line-number 
C) show line information detailed 
D) show detailed line 
Q4) What is a vty line? 
A) virtual line dynamically assigned to the synchronous interface 
B) permanent connection between two switches 
C) very tight yellow line used for RJ-45 cables 
D) a high-speed broadband connection cable 


Q5) Which command lets you configure the protocol (logical) aspects of an asynchronous 


port? 

A) line 

B) enable password 
C) enable secret port 
D) interface async 
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Q6) 


Q7) 


Q8) 


Q9) 


When in (config-line)# mode, what does the router speed command set? 
A) the boot time of the router 

B) the data speed of the Ethernet port 

C) transmit and receive speeds 


D) the amount of bandwidth that you are requesting from your service provider at 
peak usage periods 


What does AT stand for in modem commands? 


A) at time commands 

B) async Tl commands 

C) autotransmit commands 
D) attention commands 


Which command signals are involved in hardware flow control? 
A) DTE and DCE 

B) VTP and FTP 

C) CTS and RTS 

D) OPP and POP 


What do modem initialization strings do? 


A) send commands to modems before they dial out 

B) send e-mail attachments to modems before they dial out 

C) send printer requests to the video monitor so that the modem will process them 
first 

D) secure a modem to the back of a computer properly 
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Quiz Answer Key 


Ql) A 
Relates to: Modem Connections 
Q2) Cc 
Relates to: EXEC Connection Commands 
Q3)  B 
Relates to: Sample Output for the show line Command 
04) A 
Relates to: Line Types and Numbering 
Q5) D 
Relates to: Interface Asynchronous and Line Configuration 
Q6) Cc 
Relates to: Basic Modem Configuration 
Q7) iD 
Relates to: Standard Modem Commands 
Q8) Cc 
Relates to: Nonstandard Modem Commands 
Q9) A 


Relates to: Modem Initialization Strings 
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Autoconfiguring Modems 


Overview 


Modem autoconfiguration simplifies the process of adding a modem for out-of-band 
management or remote dial-in connectivity. This lesson contains descriptions of modem 
autoconfiguration methods and commands to reduce the complexity of modem initialization. 


Relevance 


This lesson describes the process of modem autoconfiguration. Modem autoconfiguration 
eliminates the process of manually issuing the initialization strings on a modem. 


Objectives 


Upon completing this lesson, you will be able to: 

= Configure modem autoconfiguration with a generic modem type 
™ Configure modem autoconfiguration with a specified modem type 
m= Verify the modemcap database 


= Configure the modemcap database with a custom modemcap 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Cisco /nterconnecting Cisco Network Devices (ICND) 
course 


Outline 


This lesson includes these topics: 

m Overview 

= Modem Autoconfiguration 

m Automatic Modem Configuration 

= Modem Autodiscovery 

= Modem Autoconfiguration: Configuring 
= Modem Autodiscovery: Configuring 

= Known Modem Initialization String 

™ Modemcap Database 


= Modemcap Database Management 


™ Modemcap Entries: Viewing 

= Custom Modemcap Entry: Creating and Editing 
™ Custom Modemcap Entry: Viewing 

= Summary 


B Quiz 
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Modem Autoconfiguration 


This topic describes modem autoconfiguration. 


Using Modem Autoconfiguration 


Autoconfiguration is used to: 


* Configure modems without using modem 
configuration commands 


* Autodiscover modems 
Operational areas: 

* Automatic modem configuration 

* Modem autodiscovery 

* Modemcap database management 
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Modem autoconfiguration facilitates the configuration of modems on routers. To set up a 
modem using modem autoconfiguration, connect the phone line and power cable to the modem, 
and use the modem autoconfigure command on the line with the modem. No other setup 
function is required for most modems. 


You can use the modem autoconfiguration feature when you want to: 


™ Configure a modem without sending modem configuration commands directly to the 
modem 


m Use the asynchronous interface to autodiscover the modem type 


To better understand modem autoconfiguration, consider its properties and characteristics: 


= Automatic modem configuration: You can configure a line to use a specified modem 


type. 


m Modem autodiscovery: You can configure a line to automatically attempt to discover the 
type of modem on the line and to use that modem configuration. 


= Modem capability database (modemcap file in Cisco IOS software): A modemcap is a 
database of modems and their modem configuration command strings. 
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Automatic Modem Configuration 


This topic describes the process of modem autoconfiguration. 


Automatic Modem Configuration 


With modem autoconfiguration, 
modems: 


* Are reconfigured each time the line is reset 
(AT commands are sent) 


* Can use a customized line configuration 
* Are configured to match current line settings 
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With automatic modem configuration, each time a modem is reset, a chat script is executed that 
sends a string of modem configuration commands (AT commands) to the modem. This modem 
configuration command string is generated automatically whenever the modem is recycled. 


For example, an IP dial-in modem configured with flow control would receive this command 
sequence: 

m™ Return to factory defaults 

™ Use hardware flow control 

= Other modem configuration commands 


In addition, the line configuration may be changed if the speed specified for the modem DTE 
differs from the current configuration on the line. 
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Modem Autodiscovery 


This topic discusses modem autodiscovery in determining a specific modem model. 


Modem Autodiscovery 


j ‘1 know you... \ 


\\codex 3260! 


ae 


/ What type of \ f \ 
| modem are , hayes_optima } 
KN you? / \. modem! _/, 


— 


You can configure a line to expect a specific modem mode. If no modem is specified, the router 
attempts to autodiscover the type of modem to which it is attached. The router determines the 


type of modem by sending AT commands to the modem and evaluating the response. The 


router includes a modemcap database with information on the following modems: 


Codex 3260: codex_ 3260 

U.S. Robotics Courier: usr_courier 

U.S. Robotics Sportster: usr_sportster 

Hayes Optima: hayes optima 

Global Village: global_village 

Viva: viva 

Telebit t3000: telebit_t3000 

Microcom: microcom_hdms, microcom_server 
NEC: nec_v34, nec_v11, nec_piafs 


Cisco Systems: mica, cisco_v110 


The specific modemcap entries found on a particular system will be determined by the 
hardware and Cisco IOS software version that is installed. 
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Note Whenever possible, configure the modem to eliminate the overhead of modem 
autodiscovery. 


Any modems that are not currently supported in the list can be manually added to the list to be 
autodiscovered in future communication. 


Here is a sample debug of how a router establishes synchronization with a modem: 


RTA# 


6d19h: 
6d19h: 
6d19h: 
6d19h: 
6d19h: 
6d19h: 
6d19h: 
6d19h: 
6d19h: 
6d19h: 
6d19h: 
6d19h: 
6d19h: 
6d19h: 
6d19h: 
6d19h: 
6d19h: 


TTY1: 
TTY1: 
TTY1: 
TTY1: 
TTY1: 
TTY1: 
TTY1: 
TTY1: 
TTY1: 
ttyl: 
TTY1: 
TTY1: 
TTY1: 
TTY1: 
TTY1: 
TTY1: 
TTY1: 


Line reset by "Virtual Exec" 


Modem: IDLE->HANGUP 
destroy timer type 0 
destroy timer type 1 
destroy timer type 3 
destroy timer type 4 
destroy timer type 2 
dropping DTR, hanging up 
Set DTR to 0 

Modem: HANGUP->IDLE 
restoring DTR 


Set DTR to 1 


autoconfigure probe started 


Modem command: --AT&F&C1&D2S0=1H0-- 


Modem configuration succeeded 


Detected modem speed 38400 


Done with modem configuration 
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Modem Autoconfiguration: Configuring 


This topic describes the process of configuring modem autoconfiguration. 


Configuring Modem 
Autoconfiguration 


Configuration may include: 
* Configuring modem autodiscovery 
or 
° Specifying a specific modem type 
* Managing the modemcap database 


Modem autoconfiguration includes the following tasks: 


= Configuring modem autodiscovery: You can configure the line to detect the type of 
modem connected to the line. 


m= Specifying a modem to be used on the line: Whenever the line resets, the line 
automatically sends the correct initialization command string to the modem. 


m= Managing the modemcap database, including: 
— Viewing the types of modems that are in the modemcap database. 
— Displaying and modifying modemcap entry command strings. 
— Creating and viewing a variant modemcap entry. 


— Use the show modemcap command to view the types of modems that are in the 
modemcap file. The show modemcap modem-type command allows you to view 
the initialization string for the specific modem type entered. 
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2-52 


This topic describes the commands that are used to implement modem autodiscovery. 


Configuring Modem 
Autodiscovery 


a : 


Router#configure terminal 

Router (config) #line 1 16 

Router (config-line) #modem autoconfigure discovery 
Router (config-line) #end 

Routerfcopy running-config startup-config 


As shown in the figure, the modem autoconfigure discovery command configures modem 
autodiscovery. 


This command instructs the router to do the following on lines 1 through 16: 

m Send the AT string at various baud rates until it receives an OK 

m Send a variety of AT commands, attempting to receive a complete identification of the 
modem identified in the router modemcap 


The default modem entry is used if the router cannot determine the modem type. 


If you know that your modem can be configured using an initialization string from one of these 
scripts, you can issue the modem autoconfigure type type command, where type is one of the 
strings in the modemcap list. Initialization proceeds more quickly if you list a specific modem 


type. 


Note To eliminate the overhead of modem autodiscovery and to avoid modem configuration 
ambiguity that is caused by modem autodiscovery, configure the modem type using the 
autoconfigure type command whenever possible. 


It may be necessary to manually configure the modem or change the modemcap database if 
none of the strings properly initialize the modem. 
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Known Modem Initialization String 


This topic describes the commands that are used to configure modem autodiscovery with a 
specified modem model. 


Specifying a Known Modem 
Initialization String 


Router#configure terminal 

Router (config) #line 1 

Router (config-line) #modem autoconfigure type usr_sportster 
Router (config-line) fend 

Routerfcopy running-config startup-config 


In the figure shown, the router is configured to send an initialization string for a U.S. Robotics 
Sportster modem on line 1. 
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Modemcap Database 


This topic describes the purpose of a modemcap database on a Cisco router. 


Modemcap Database 
= Se ee | 


ae Modemcap Database 
default AT string 
codex_3250 AT string 
usr_courler AT string 


usr_sportster AT string 
hayes_optima AT string 


%. Wwlebit_{3000 AT string 


You can: 


¢ View the modemcap database 
¢ Add entries to the modemcap database 


The modemcap is a list of modems with a known set of AT configuration commands for setting 
the attributes for each modem type. For example, many modems use the string AT&F to reset 
the modem to its factory default attributes. 


Modem attributes have a full name and a two- or three-letter abbreviation. Factory default, for 
example, is also referred to as FD. For normal operation, you do not need to know these 
abbreviations. If you are familiar with the modem abbreviations, you can add entries to the 
modemcap database. 
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Modemcap Database Management 


This topic describes the commands for managing the modemcap database. 


Managing the Modemcap Database 


Router #show modemcap 
default 


codex 3260 
usr_courier 
usr_sportster 
hayes optima 
global_village 
viva 


telebit_t3000 
microcem_hdms 
microcom server 
nec v34 

nec vil 

nec piats 
cisco v1l10 

mica 
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The modemcap database contains entries for supported modems. Complete these tasks to 
manage a modemcap database entry: 


m= View modem entries in the modemcap database with the show modemcap command, as 
shown in the figure. 


m View the contents of a modem modemcap entry. 
m Modify a modem modemcap entry. 


m™ Create a modem database entry. 
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Modemcap Entries: Viewing 


This topic describes the concepts and commands for viewing modemcap entries. 


Viewing Modemcap Modem Entries 
i ee OR ES | 


Routerfishnow modemcap codex 326) 
Modemcap valuer [or coedex_3260 
Pactory Defaults (PD): &F 
Autcanswer (AA): SO#l 

Carrier detect (CD): sCl 

Drop with DTR (DTR): sD2 
Hardware Flowcontrol (HFL): *FL3 
Lock DTE speed (SPD): ¥*SC1 
Beast Breer Cantrell (BER): *8Ha 
Sest Compression (BCP): *bcCi 
Ne Errer Contresel (NER): *SM. 
No Compression (NCP): *DcOoO 

No Eche (NEC): EO 

No Result Codes (NRS): O1 
Software Flowcontrol (SFL): [not set] 
Caller Mm (cD): «£581 
Miscellaneous (MSC): [mot set] 
Template entry (TPL): detault 


e AT commands for a specific modem 
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The show modemcap command displays the modems in the modemcap database. In addition, 
with the modem type specified, the command shows a complete list of the specified modem 
modemcap entry that includes these fields: 


= Command description 
= Command abbreviation (with colon separator) 
= Command string 


The figure shows the AT command string attributes and their values for the Codex 3260 
modem. 


The default modem type has modemcap values for a few of the most common attributes. It does 
not contain strings for attributes that vary widely by modem type, such as locking speeds, 
setting hardware flow control, or dealing with compression and error correction. 


You can use the modemcap entry modem-name command or the show modemcap modem- 
name command to see the contents of a modem modemcap entry. The modemcap entry 
modem-name command displays modemcap values in a truncated form. 


You can also create variant modemcap entries to add new modems or extend the functionality 


of a modem in the modemcap database. How these entries are created is discussed in 
subsequent topics in this lesson. 
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Custom Modemcap Entry: Creating and Editing 


This topic describes the commands that are necessary to create and edit a modemcap entry. 


Creating and Editing a Custom Modemcap 


Entry 
ee gn SAORI S| 


Routerfconfig terminal 
Router# (config)modemcap edit usxr_new caller-id *U1 


Router# (config)modemcap edit usr_new speed 6Bl 
Router# (config)modemcap edit usr_new template usr courier 


Routerffishow modemcap 
codex 3260 
usr_courier 


usr_sportster 
hayes_optima 
giobal_ village 
usr_new 
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Use the modemcap edit new-modem-name command to complete these tasks: 


m Add anew entry to the modemcap database. Note that in performing this task, you must 
specify an attribute for the new modem entry; otherwise, use modemcap entry new- 
modem-name without attributes. 


m= Add new attributes to an existing modem entry in the modemcap database. 


The figure displays the following uses of the modemcap edit usr_new command: 
1. This command creates the usr_new entry in the modemcap database and sets the caller-id 
for the usr_new modem to *U1. 


2. This command locks the DTE speed on this modem. 


3. This command points to another modemcap entry to be used as a template. As a result, any 
value not found in the current modemcap entry is set by the template modemcap entry. In 
this example, the usr_courier modemcap entry is the template. You can have up to four 
layers of templates. 


You can use these additional commands when creating variant modem cap entries: 
m= Use the modemcap edit command to edit user-created modemcap entries only. 
m Use the show modemcap command to verify the new router modemcap entry. 


m= Use the no modemcap entry modem-name command to remove the specified modem 
from the modemcap database. 


m= Use the no modemcap entry modem-name attribute command to remove a modem 
attribute from a modem modemcap entry. 
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Custom Modemcap Entry: Viewing 


This topic contains concepts and commands for viewing a modemcap entry. 


Viewing a Custom Modemcap sulin 


Router#show modemcap usr new 

Modemcap values for usr_new 

Factory Defaults (FD): SF 

Auteoanswer (AA): S0=1 

Carrier detect (CD): «Cl 

Drop with DTR (DTR): &D2 

Hardware Flowcontrol (HFL): 4H1ékR2 

Leck DTE speed (SPD): <éB1 

Best Exrcr Control (BER): oma 

Best Compression (BCE): 4&K1 

No Error Control (NER): 4M) 

No Compression (NCP): &K0 

No Echo (NEC): EO 

No Result Codes (NRS): Q1 

Software Flowcontrol (SFL): [not set] 

Caller ID (CID): *v1_ 

Miscellaneous (MSC): [net set) 
©] Template entry (TPL): usr_courier 
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After configuring a modemcap entry with the modemcap edit command, use the show 
modemcap modem-name command to verify the new modemcap attribute values. 


The figure shows the output for the new modemcap created in the previous topic. The numbers 
in the figure correspond to the numbers that are used in the previous topic with each 
modemcap edit command. 


Specifically, the usr_new modemcap shown in the figure is identical to the usr_courier entry 
with the following exceptions: 

m The DTE speed lock 

m The caller ID field 

m= The template 

If you used the show running-config command, the usr_new information for the configuration 
on the previous page would appear as a line in the configuration: 


modemcap entry usr_new SPD=&B1:CID=*U1:TPL=usr_courier 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
eee 


* Modem autoconfiguration simplifies the process of 
adding a modem for out-of-band management or 
remote dial-in connectivity. 


* Automatic modem configuration executes a chat 
script that sends a string of configuration 
commands to the modem. 


¢ The modem capability database is a list of modems 
with a known set of configuration commands for 
setting each modem type attribute. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


What is a modem chat script? 


A) instructions for a modem to self-destruct 

B) a string of text that defines the handshaking that occurs between two DTE 
devices 

C) a set of commands that enable any modem to achieve a doubling of its 


maximum bandwidth speed 
D) a session involving the video monitor, keyboard, and printer 
What is a database of modems and their modem configuration command strings called 
in Cisco IOS software? 
A) modeminfo 
B) modemcap 
C) modemdata 


D) modemconfigs 


How does the router determine the type of modem used? 


A) The router sends AT commands to the modem and evaluates the response. 
B) The router detects the specific modem cable used. 

C) The router does not need to know the modem type. 

D) The phone number dialed has a special code for the modem. 


Which command is used to view the types of modems that are in the modemcap file? 
A) show modem all 

B) show modem types 

C) show modemcap 

D) show modemfile 

Which command do you issue if you know that your modem can be configured using 
an initialization string from one of the modemcap scripts? 

A) modem autoconfigure type type 

B) modem configure 

C) modem configureauto 


D) modem type auto 
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Q6) 


Q7) 


Q8) 


Q9) 


Q10) 


Q11) 


Which router configuration mode is used in configuring a modem? 


A) router# 

B) router(config)# 

C) router(config-line)# 

D) router(config-if)# 

Which modem string is typically used to reset the modem to its factory default 
attributes? 

A) AT&D 

B) AT&K 

C) AT&H 

D) AT&F 


What does the modemcap database contain? 


A) 
B) 
C) 
D) 


entries for supported printers 
entries for supported modems 
entries for supported switches 


entries for supported video monitors 


How do you add new modems or extend the functionality of a modem in the 


modemcap database? 


A) 
B) 
C) 
D) 


by purchasing older slower modems for your network 
by creating variant modemcap entries 
by using different modem cables 


by using a printer cable for a modem cable 


Which command is used to add a new entry to the modemcap database? 


A) 
B) 
C) 
D) 


router# show modemcap 
router# config line modemcap 
router# line modemcap 


router# modemcap entry usr_new 


After configuring a modemcap entry with the modemcap edit command, which of the 


following commands should be used to verify the new modemcap attribute values? 


A) 
B) 
C) 
D) 


show modembase modem-name 
show modemcap modem-name 
show modemdata modem-name 


show modeminfo modem-name 
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Quiz Answer Key 


2-62 


Ql) 


Q3) 


Q4) 


Q5) 


Q6) 


Q7) 


Q8) 


B 


Relates to: 


B 


Relates to: 


A 


Relates to: 


Cc 


Relates to: 


A 


Relates to: 


Cc 


Relates to: 


D 


Relates to: 


B 


Relates to: 


Relates to: 


Relates to: 


Relates to: 


Modem Autoconfiguration 


Automatic Modem Configuration 


Modem Autodiscovery 


Modem Autoconfiguration: Configuring 


Modem Autodiscovery: Configuring 


Known Modem Initialization String 


Modemcap Database 


Modemcap Database Management 


Modemcap Entries: Viewing 


Custom Modemcap Entry: Creating and Editing 


Custom Modemcap Entry: Viewing 


Building Cisco Remote Access Networks (BCRAN) v2.1 


Copyright # 2004, Cisco Systems, Inc. 


Verifying and Debugging 
Modem Autoconfiguration 


Overview 


After you connect the modem hardware, you may experience issues with modem 
autoconfiguration. This lesson explains how to verify and debug modem autoconfiguration. 


Relevance 


After you configure modem autoconfiguration, it is helpful to know how to troubleshoot and 
verify the proper operation in the context of dial-in and dial-out services. 


Objectives 
Upon completing this lesson, you will be able to: 
m= Issue commands to debug modem autoconfiguration 
= Troubleshoot modem autoconfiguration 


m™ Create a chat script for modem initialization 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m= All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Jnterconnecting Cisco Network Devices (ICND) course 


Outline 


2-64 


This lesson includes these topics: 


Overview 

Verification of Modem Autoconfiguration Operation 
Modem Autoconfiguration Troubleshooting 

Chat Scripts for Asynchronous Lines 


Summary 


Quiz 
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Verification of Modem Autoconfiguration 


Operation 


This topic describes the commands that are used to debug modem autoconfiguration. 


Verifying Modem 
Autoconfiguration Operation 


Routert#tdasbug confmodem 


TTYS?: 
TTy9?: 
TTY97: 
TTY97: 
PTYS7: 
Trx9?: 
Trx97: 
TTY97: 
TTY9?: 
TTY97: 


detectian apesd (115700) reaponse ---OK--- 

Modem command: --Al-- 

Modem oonfiqguration sucarmeded 

Detected modem speed 115200 

Done with modem configuration 

detection speed (115200) response ---Ox--- 

Modem command: —-ATEPSC1I£D 2 SH1LER25M45X1 5815 0=1n0-- 
Modem oconfiquration succeeded 

detection speed (115200) response ---OK--- 

Done with modem configuration 


The debug confmodem command displays the modem configuration process. For example, the 


figure shows a router modem configuration process on line 97 with a U.S. Robotics Sportster 
modem attached. 


You can also use these commands to verify operation: 


m= The show line command shows the type of modem configured on a line. 


m The clear line command returns a line to its idle state. Normally this command returns the 
line to its conventional function as a terminal line, with the interface left in a down state. 
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2-65 


Modem Autoconfiguration Troubleshooting 


2-66 


This topic describes the commands that are used to troubleshoot modem autoconfiguration. 


Troubleshooting Modem 
Autoconfiguration 


uf x9 


Common problems with modem autoconfiguration: 
¢ The modem does not respond. 


* The modem is not recognized by modem 
autodiscovery. 


° There is an original modemcap entry problem. 
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To troubleshoot modem autoconfiguration, consider the following conditions and solutions: 
= Modem not responding 
— Is the modem power supply connected and turned on? 
— Is the power-up configuration set to factory default? 
— Can you connect using reverse Telnet? 
—  Doyou have dial tone at the phone jack? 
= Modem not recognized by modem autoconfigure discovery 
— Use the show line command to verify the modem configuration that the line is using. 
— Check to see if the Cisco router recognizes the modem. 


— Use the modem autoconfigure type modem-name command. 


Note Use the show modemcap command to verify modemcap support for this modem. 


m™ Original modemcap entry problem 


— Ifyou configured your own modemcap entry, and reconfiguration appears to 
function, verify that the DTR attribute is not set to &D3. 


Remember that you can also check the manual supplied by the modem manufacturer. 
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Chat Scripts for Asynchronous Lines 


This topic describes the concepts and commands that are needed to create a chat script. 


Chat Scripts for Async Lines 


nf <—_______@ 


Router (config)#chat-script script-name expect-string send-string 


* Modem configuration 
* Dialing and remote login commands 
* Failure detection 


Router (config) #chat-script Central ABORT ERROR ABORT BUSY 
“’ “ATZ” OK “ATDT \T” TIMEOUT 30 CONNECT \c 


¢ Sample chat script 
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The Cisco IOS software autoconfigure feature is sufficient for most modem connections. 
Occasionally, however, custom chat scripts may have to be written to perform certain tasks. 


A chat script provides a way to customize how the DTE interacts with the DCE. It is a string of 
text that defines the handshaking that occurs between two DTE devices or between a DTE and 
its directly attached DCE. The chat script consists of expect-send pairs that define the string the 
local DTE system expects to see from the remote DCE device and that specify which reply the 
local system should send. 

For example, you can configure chat scripts for these tasks: 

m Initializing the directly attached modem 

m= Instructing the modem to dial out 


= Logging in to a remote system 
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The sample chat script command in the figure is described in the table. 


Chat Script Commands 
Command Description 
Central Defines the name of this chat script as Central. 


ABORT ERROR Stops the chat script if an error is encountered. 


ABORT BUSY Stops the chat script if a busy signal is encountered. 


ride Expects a null string. Therefore, expect no input string. 


“ATZ” Without expecting an input string, sends the AT command to reset the modem to its 
stored profile. 

OK “ATDT \T” When the input string OK is seen, sends the AT command to instruct the modem to 
dial the telephone number in the dialer string or start-chat command. 

TIMEOUT 30 Waits up to 30 seconds for the input string CONNECT. 

CONNECT 

\c Indicates the end of the chat script. 


You can use the start-chat command to manually test a chat script on any asynchronous line 
that is not currently active. 


Chat scripts can also be activated by any of the following five events, each corresponding to a 
different version of the script command: 


= Line activation: Starts a chat script on a line when the line is activated (every time a 
command EXEC is started on the line). 


= Connection: Starts a chat script on a line when a network connection is made to the line: 
triggered by outgoing traffic (reverse Telnet). 


m Startup: Triggered when the system starts up. 
m= Dialer: Triggered by dial-on-demand routing (DDR). 
m Line reset: Triggered by asynchronous line reset. 


Refer to Cisco.com for more information on chat scripts and the script command. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
ee cee SAN P| 


* The debug confmodem command displays the 
modem configuration process. 


* Use the show line command to verify the modem 
configuration that the line is using. 


* Achat script provides a way to customize how the 
DTE interacts with the DCE. 


Next Steps 
For the associated lab exercise, refer to the following section of the course Lab Guide: 


m Lab Exercise 2-1: Configuring Asynchronous Connections with Modems 
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Quiz 
Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 
Ql) ~~ Which of the following commands displays the modem configuration process? 
A) show line 
B) clear line 
C) show modem process 


D) debug confmodem 


Q?2) What can a network administrator do as a last resort when troubleshooting modem 


autoconfiguration? 
A) check the manual supplied by the router manufacturer 
B) check the manual supplied by the modem manufacturer 


C) check the manual supplied by the hub manufacturer 


D) check the manual supplied by the switch manufacturer 


Q3) Achat script provides a way to customize how the 
A) DTE interacts with the DTE 
B) DTE interacts with the DCE 
C) DCE interacts with the DTE 
D) DCE interacts with the DCE 
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Quiz Answer Key 


Ql) D 

Relates to: Verification of Modem Autoconfiguration Operation 
Q2) B 

Relates to: Modem Autoconfiguration Troubleshooting 
Q3) B 


Relates to: Chat Scripts for Asynchronous Lines 
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Module 3 | 


Configuring PPP Features 


Overview 


This module reviews PPP and provides additional information on link control protocol (LCP) 
options of authentication, callback, compression, and Multilink PPP (MLP). 


Objectives 


Upon completing this module, you will be able to: 


Outline 


Configure PPP features at a central site and a branch office to allow exchange of data 
between the sites 


Configure PAP or CHAP authentication to allow access to a secure site 
Configure and verify callback and compression 
Configure and verify MLP 


Verify and troubleshoot an incorrect configuration so data travels as intended across the 
PPP link 


The module contains these lessons: 


Describing PPP Features 

Configuring Basic PPP 

Configuring LCP Options: Authentication with PAP and CHAP 
Configuring LCP Options: Callback and Compression 
Configuring LCP Options: Multilink PPP 

Verifying and Debugging PPP 
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Describing PPP Features 


Overview 


PPP is an RFC standard that provides interoperability among WAN devices of multiple 
vendors. This WAN protocol operates at the physical and data-link layers of the Open System 
Interconnection (OSI) model. This lesson describes PPP operation. 


Relevance 
PPP is a key WAN protocol implemented at many sites. You should understand how PPP 
operates before you configure its services. 


Objectives 


Upon completing this lesson, you will be able to: 

m= Describe how remote nodes can connect using PPP 
m™ Describe the properties of PPP 

™ Compare and contrast HDLC and PPP 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 


3-4 


This lesson includes these topics: 


Overview 

Remote Node Connections 
PPP Architecture 

HDLC and PPP Frames 


Summary 


Quiz 
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Remote Node Connections 


This topic describes how remote node connections can be made using PPP. 


Remote Node Connections 


“> 


RouterB Modem ppp 


eonee ol 
Modem Router A 
a E-Mail 
# Server 


—zT Modem 
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Remote access is an integral part of the corporate mission. Traveling salespeople, executives, 
remote office staff, and small office, home office (SOHO) users all need to communicate by 
connecting to the central office LAN. The proliferation of laptops in the workplace has 
increased the need to remotely access electronic information. 


To support remote connections, remote node users will use network application software (FTP, 
Telnet), protocol stacks (TCP/IP), and link-layer drivers (PPP) installed on their own remote 
devices. The higher-layer protocols are encapsulated in the link-layer protocols (such as PPP) 
when transmitted across the dialup line. 


Point-to-point links between LANs, hosts, terminals, and routers can provide sufficient physical 
connectivity in many application environments. Many regional and commercial network 
services provide access to the Internet and point-to-point links, which provide an efficient way 
to access the service provider locally. 


The Internet community has adopted schemes for the transmission of IP datagrams over serial 
point-to-point lines. One of the schemes, PPP, is a modern transmission method that provides 
router-to-router and host-to-network connections over synchronous and asynchronous circuits. 


Although PPP was designed with IP in mind, you can use PPP for other network-layer 
protocols such as Internetwork Packet Exchange (IPX) and AppleTalk. Moreover, PPP supports 
essential features such as dynamic address allocation, Password Authentication Protocol (PAP) 
authentication, Challenge Handshake Authentication Protocol (CHAP) authentication, and 
Multilink PPP (MLP). 
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Note The AppleTalk Remote Access Protocol (ARA Protocol) and Serial Line Internet Protocol 
(SLIP) are not used very frequently in current network configurations, and, as such, they are 
not covered in this course. For additional configuration information, refer to the Cisco 
Documentation CD-ROM or Cisco.com. 


High-Level Data Link Control (HDLC) is the default encapsulation for ISDN and serial 
interfaces on a Cisco Systems router. Although HDLC is a default encapsulation, Cisco HDLC 
is not necessarily compatible with the HDLC implementations of other vendors because it 
contains a network-layer protocol identifier field. PPP implementations follow open standards 
and should always be compatible. Therefore, PPP is the protocol of choice when configuring 
serial links in a multivendor environment. 


It is important to note that PPP actually uses HDLC as a basis for encapsulating datagrams. 
However, PPP is more robust than HDLC because it adds extensions (features) to the link layer. 
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PPP Architecture 


This topic describes the PPP architecture at Layer 2 of the OSI model. PPP is an RFC standard 
protocol. 


PPP Architecture 


OSI Layer 


Upper-Layer Protocols 
(such as IP, IPX, AppleTalk) 


Physical Layer 
(such as EIA/TIA-232, V.24, V.35, ISDN) 


| 

| 
t 
Ie 
=i 
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PPP is a nonproprietary protocol that is defined by a series of open Internet standards called 
RFC standards. For this reason, PPP is referred to as a standards-based protocol. 


PPP also describes mechanisms for the following features: 
= Network-protocol multiplexing 

= Link configuration 

m = Link-quality testing 

m Authentication 

m Header compression 

m Error detection 


= Link-option negotiation 
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PPP also includes these functional components: 


= Method for encapsulating datagrams over serial links, based on the International 
Organization for Standardization (ISO) HDLC protocol (not Cisco HDLC) 


= Link control protocol (LCP) for establishing, configuring, and testing the data-link 
connection 


m PPP IP Control Protocol (IPCP), for managing TCP header compression and IP address 
negotiation 


= Authentication 


= Network Control Protocols (NCPs) for establishing and configuring various network-layer 
protocols such as IP, IPX, and AppleTalk (for example, IPCP is the NCP for IP) 


Note Authentication level for access control is optional. 


The following is a partial list of RFCs of interest for access products: 

m RFC 1220: “Point-to-Point Protocol Extensions for Bridging” 

m RFC 1332: “PPP IP Control Protocol (IPCP)” 

m RFC 1378: “PPP AppleTalk Control Protocol (ATCP)” 

m RFC 1492: “Access Control Protocol or TACACS+” 

m RFC 1549: “PPP in HDLC Framing” 

m RFC 1552: “The PPP Internetwork Packet Exchange Control Protocol (IPXCP)” 
m RFC 1570: “PPP LCP Extensions” 

m RFC 1661: “The Point-to-Point Protocol (PPP)” 

m RFC 1990: (Replaces RFC 1717): “The PPP Multilink Protocol (MP)” 
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HDLC and PPP Frames 


This topic describes the similarities and differences between HDLC and PPP frames. 


Comparing HDLC and PPP Frames 


HDLC ISO Frame 
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As mentioned earlier, the PPP frame format is based on the HDLC frame format put forth by 
the ISO. But unlike the ISO HDLC frame, the PPP frame defines two additional fields. The 
protocol and LCP fields are the keys to the features of PPP. 


PPP can negotiate link options dynamically and can support multiple Layer 3 protocols, such as 
IP, IPX, and AppleTalk. PPP accomplishes these two tasks by encapsulating Layer 3 datagrams 
with a specialized frame. 


The protocol field is used to identify various Layer 3 protocols, such as IP or IPX. The LCP 


field allows for such features as authentication, callback, compression, and MLP. The address 
field consists of a broadcast address (all ones), because there is no station address in PPP. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
ee ere ns SOME] 


¢ Point-to-point links between LANs, hosts, 
terminals, and routers can provide sufficient 
connectivity in many application environments. 


° PPP is a nonproprietary protocol that is defined by 
a series of open Internet standards. 


* PPP can negotiate link options dynamically and 
can support multiple Layer 3 protocols. 
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Quiz 
Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 
Ql) — Which upper-level protocols are supported by PPP? 
A) IP 
B) IPX 
C) AppleTalk 
D) all of the above 


Q2) Which of the following protocols is referred to as a “standards-based protocol”? 


A) HDLC 

B) SLIP 

C) ARA Protocol 
D) PPP 


Q3) — Which field of the PPP frame identifies various Layer 3 protocols? 
A) flag 
B) address 
C) control 


D) protocol 
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Quiz Answer Key 


Ql) D 

Relates to: Remote Node Connections 
Q2) D 

Relates to: PPP Architecture 
Q3) D 


Relates to: HDLC and PPP Frames 
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Configuring Basic PPP 


Overview 


You can use PPP to connect your LAN to the WAN of your service provider. This lesson 
describes how to use this protocol to encapsulate both data-link layer and network layer 
information over serial links and how to configure PPP. 


Relevance 


You may have PPP connections within your network or between your network and a service 
provider. You should know how to configure the serial ports for PPP encapsulation. 


Objectives 


Upon completing this lesson, you will be able to: 


m Use the Cisco IOS software commands to configure serial interfaces using PPP 
encapsulation for leased-line connections 


m Enable autoselection of PPP encapsulation on an asynchronous interface 
™ Configure Layer 3 addressing on a serial interface 


m™ Describe the various LCP options for PPP 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m= All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 


3-14 


This lesson includes these topics: 


Overview 

PPP: Enabling 

PPP Session and EXEC Session 

PPP and Asynchronous Interface: Enabling Commands 
Autoselect 

Asynchronous Interface Commands for Addressing 
Summary 


Quiz 
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PPP: Enabling 


This topic describes the commands to enable PPP encapsulation. 


Enabling PPP 


Router (config-if)# encapsulation ppp 


° Defines encapsulation type 


PPP can be enabled on various types of interfaces, including synchronous, asynchronous, serial, 
ISDN BRI, and ISDN PRI interfaces. The syntax to enable PPP is the same, regardless of 
interface. 


An example of configuring PPP on a synchronous interface would be: 


Router (config)# interface serial 0 


Router (config-if)# encapsulation ppp 
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PPP Session and EXEC Session 
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This topic describes the concepts of initiating PPP via an in-band PPP session and an out-of 
band EXEC session. 


PPP Session and EXEC Session 


PPP Session 
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You can use asynchronous connections as either an in-band PPP session or an out-of-band 
EXEC session. 


An in-band PPP session is the most common type of connection because it provides users 
access to network resources such as web servers and mail servers. You can configure PPP in- 
band as a dedicated session (dedicated mode) or an interactive session (interactive mode). In 
dedicated mode, an interface is automatically configured for PPP connections. In interactive 
mode, the user can choose between an in-band and an out-of-band session. 


Generally, you will want to restrict the ability of remote users to start EXEC sessions with your 
router. Typical end users do not require access to the router interface. Instead, they need a 
Layer 3 protocol (IP and so on) connection to the corporate network or the Internet. In most 
cases, you should force the asynchronous interface to use PPP and not allow an EXEC 
connection. 


To ensure that the dial-in user must run PPP on the specified line, use the async mode 
dedicated command: 


Router (config-if)# asyne mode dedicated 


An out-of-band EXEC session is typically configured to allow administrators and power users 

to access the router command-line interface (CLI). This feature allows remote users to log in to 
the router and issue commands as if the user were connected to the console port. IP addressing 
or PPP encapsulation is not necessary for this type of connection. Data is sent as asynchronous 
characters. 
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PPP and Asynchronous Interface: Enabling 
Commands 


This topic describes the steps that are necessary to correctly enable PPP on an asynchronous 
interface. 


Enabling PPP and Async 
Interface Commands 


Router (config-if)# encapsulation ppp 


* Defines encapsulation type 


Router (config-if)# async mode dedicated 

» Places the line in dedicated PPP mode 
OR 

Router (config-if)# async mode interactive 


¢ Places the interface in interactive mode 
(allows an EXEC process) 


To provide some flexibility to the dial-in user to start either a PPP session or an EXEC session, 
use the asyne mode interactive command: 


Router (config-if)# asyne mode interactive 


The asyne mode interactive command configures the router so that it will allow the remote 
host to choose either a PPP session or an EXEC session. 


Enabling this feature requires two steps: 
Step 1 You must configure the interface with the asyne mode interactive command. 


Step 2 You must configure the corresponding terminal line with the autoselect command. 
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Autoselect 


3-18 


This topic describes autoselection when using multiple session types on an interface. 


Autoselect 
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After configuring the asyne mode interactive command, the second step is to configure the 
corresponding terminal line or lines with the autoselect ppp command: 


Router (config)# line 1 


Router (config-line)# autoselect ppp during-login 


The PPP autoselect feature configures an access server terminal line to provide either a PPP 
session or an EXEC session, based on input from the remote host. Essentially, this feature 
allows the remote host to determine the session type. The access server automatically detects 
which type of session is being requested, and responds accordingly. 


The autoselect command permits the access server to allow an appropriate process to start 
automatically when a starting character is received: 


m= Ifthe start character is a Return character, then the access server starts an EXEC session. 
Therefore, users who want to begin an EXEC session typically must press the Return key 
after establishing a dialup connection. 


m Ifthe access server recognizes the start character as PPP, it will begin a session for 
whichever protocol it detects. Therefore, if an end user is using a program that sends a PPP 
frame, the access server will automatically start a PPP session. 


Note PPP frames always start with a flag character having the value 7E in hexadecimal (or 
01111110 in binary) format. 
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The during-login optional parameter of the autoselect command causes the username and 
password prompt to display in the remote host terminal window without the user having to 
press the Return key. 


After a host has established an EXEC session, the remote user can switch to a PPP session at 
any time by issuing the ppp command from privileged EXEC mode router prompt. 


Note With synchronous connections, there is no differentiation between an EXEC session and a 
PPP session. Normally, the user would use the synchronous PPP connection the same as 
an asynchronous PPP session. A user who needed to start an EXEC session on the router 
would use Telnet to access the router CLI. 
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Asynchronous Interface Commands for 
Addressing 


This topic describes how to configure Layer 3 addressing on an asynchronous interface. 


Asynchronous Interface Commands for 
Addressing 


Router (config-if)#interface async 1 
Router (config-if)#ip address ip-address mask 


* Assigns an IP address to a network interface 


Router (config-if)#ip unnumbered type number 


* Configures the asynchronous interface to be 
unnumbered 


Most dialup PPP sessions are established for the purpose of sending and receiving TCP/IP 
packets. Asynchronous PPP connections allow remote users to dial up and access the corporate 
IP network or the Internet. 


However, to participate in a TCP/IP network, the router interface must have an IP address. The 
remote nodes must also be assigned an IP address. 


To assign an IP address to an access server asynchronous interface, use the standard ip address 
command. The following example configures the IP address of interface async 1: 


Router (config)# interface async 1 

Router (config-if)# ip address 10.1.1.1 255.255.255.0 
Access servers can have literally hundreds of asynchronous interfaces. It is also unlikely that all 
interfaces will be in use at the same time. For this reason, the IP unnumbered feature may be 


used to help conserve IP addresses. Multiple asynchronous interfaces on the same router can 
share the same IP address, including an address assigned by the ip unnumbered command. 


When a serial or asynchronous interface is configured with the ip unnumbered command, it 
does not have an IP address. Packets generated by that interface “borrow” the address of 
another interface and use that as the source address. You can use the IP unnumbered feature 
with point-to-point configurations only. The syntax for the ip unnumbered command is: 


Router (config-if)# ip unnumbered type number 
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With this command, the type and number of the interface to borrow the IP address from 
(ethernet 0, loopback 0, and so on) must be specified. A loopback interface is the ideal line to 
use as the reference to the ip unnumbered command, because it is a virtual interface that never 


goes down. 
The following commands illustrate how to configure an asynchronous interface for IP 
unnumbered using a loopback interface: 
Router (config)# interface loopback 0 
Router (config-if)# ip address 10.1.1.1 255.255.255.0 
Router (config-if)# exit 
Router (config)# interface async 1 


Router (config-if)# ip unnumbered loopback 0 
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Asynchronous Interface Commands for 
Addressing (Cont.) 


Router (config-if)# peer default ip address 
{address | pool pool-name | dhcp} 


* Assigns an IP address to a remote node 


Router (config-if)# async dynamic address 


* Allows a remote user to specify the IP address 


After the router interface is assigned a valid IP address, remote dial-in users must also be 
assigned a valid IP address. Fortunately, PPP allows for the automatic assignment of IP 
addresses using a specific address, a pool of addresses, or Dynamic Host Configuration 
Protocol (DHCP). Alternatively, the access server can be configured to allow the remote host to 
choose an address. 


To assign a default (predefined) IP address to the remote dial-in host, use the peer default ip 
address command. Additionally, the pool and dhep arguments allow address allocation from a 
local pool of addresses or a DHCP server. This example shows how to configure an 
asynchronous interface to assign a specific IP address to the dial-in host: 


Router (config)# interface async 1 


Router (config-if)# peer default ip address 10.1.1.2 


In contrast, the next example displays how to configure a group of asynchronous interfaces 
(rotary group) to assign IP addresses from a locally defined pool: 


Router (config)# ip local pool DIAL-IN 10.1.1.2 10.1.1.254 
Router (config)# interface group-async 1 


Router (config-if)# peer default ip address pool DIAL-IN 


Note The pool and dhcp options to the peer default ip address command require a global 


command to create the pool of addresses. For example, ip local pool poo/-name starting- 


address end-address. 


Note A dialer rotary group eases configuration by allowing one logical interface configuration to 
apply to multiple physical interfaces. Dialer rotary groups are not covered in this course. 
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Dynamic addressing allows a user to specify the address at the EXEC level when making the 
connection. If you specify dynamic addressing, the router must be configured with the async 
mode interactive mode. The user will enter the address at the EXEC level. 


For example, after the remote user enters the ppp EXEC command, the access server will 
prompt the user for an IP address or logical host name. 


To enable this dynamic addressing feature, use the asyne dynamic address command in 
interface configuration mode: 


Router (config-if)# async dynamic address 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
| 


¢ Cisco IOS software commands can be used to 
configure serial interfaces using PPP 
encapsulation for leased-line connections. 


* Asynchronous connections can be used as either 
an in-band PPP session or an out-of-band EXEC 
session. 


The autoselect command permits the access 
server to allow an appropriate process to start 
automatically when a starting character is 
received. 


BCRAN v2.1-3-8 
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Quiz 
Use the practice items here to review what you learned in this lesson. The correct answers are 


found in the Quiz Answer Key. 


Ql) ~~ Which of the following commands will enable PPP encapsulation on a serial interface 
of a Cisco router? 


A) router(config)# encapsulation ppp 
B) router(config-if)# encapsulation ppp 
C) router(config-line)# encapsulation ppp 
D) router# encapsulation ppp 
Q2) ~~ Which of the following command modes is used to ensure that the dial-in user runs 
PPP on the specified line? 
A) router(config-if)# asyne mode dedicated 
B) router(config-if)# syne mode dedicated 
C) router(config-if)# dedicated mode sync 
D) router(config-if)}# ppp mode dedicated 
Q3) Which of the following router command modes allows remote users to log into the 
router and issue commands as if the user were connected to the console port? 
A) router(config-line)# interface async 1 
B) router(config-if)# encapsulation ppp 
C) router(config-if)# asyne mode interactive 
D) router(config-if)# interface async 1 
Q4) When you are configuring PPP, which command permits the access server router to 


allow an appropriate process to start automatically as soon as a starting character is 
received? 


A) autoselect 
B) autoconfig 
C) selectauto 


D) configauto 
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Quiz Answer Key 


Ql) B 
Relates to: PPP: Enabling 
Q2) A 
Relates to: PPP Session and EXEC Session 
Q3) Cc 
Relates to: PPP and Asynchronous Interface: Enabling Commands 
Q4) A 


Relates to: Autoselect 
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Configuring LCP Options: 
Authentication with PAP and 
CHAP 


Overview 


To enhance network security, two password protocols are available with PPP. This topic covers 
the concepts and configuration commands for optional PAP and CHAP authentication with 
PPP. 


Relevance 


You can select PAP or CHAP when configuring PPP authentication. In general, CHAP is the 
preferred protocol. You should know how to enable these two protocols for added network 
security. 


Objectives 
Upon completing this lesson, you will be able to: 
m Describe the PPP authentication process 
m Enable PAP authentication with PPP 
m Enable CHAP authentication with PPP 
m Enable both CHAP and PAP authentication with PPP 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m= All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 


Overview 

PPP Authentication 

PPP Using PAP Authentication 

PAP Configuration Example 

PPP Using CHAP Authentication 

CHAP Configuration Example 

CHAP and PAP Configuration Authentication 


Summary 


Quiz 
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PPP Authentication 


This topic describes the PPP authentication process. 


PPP Authentication 


No 
Authentication 
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This flowchart in the figure displays the PPP authentication process with PAP or CHAP 
security as follows: 


1. When a user enters the ppp command, the system determines the type of authentication 
configured. If no authentication is configured, the PPP process starts immediately. 


2. Ifthe system determines the authentication method to be used, it does one of the following: 


— It checks the local database (established with the username and password 
commands) to determine if the given username and password pair matches the pair 
in the local database (CHAP or PAP). 


— It sends an authentication request to the security server (TACACS+ or RADIUS). 


3. The system checks the authentication response sent back from the security server or local 
database. If the response is positive, the PPP process is started. If it is negative, the user is 
rejected immediately. 
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PPP Using PAP Authentication 
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This topic describes the PAP authentication process. PAP authentication sends passwords in 
plaintext. 


PPP Negotiating PAP Authentication 


Cisco Router 
Run PPP Local User 
Use PAP 


“jdoe, itsasecret" 
ooo Ss 


Accept or Reject 


One-Way PAP 
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If you have decided to use an authentication protocol, it will likely be PAP or CHAP. PAP is a 
one-way authentication between a host and a router or a two-way authentication between 
routers. With PAP, this process provides an insecure authentication method. 


When using PAP, the remote host is in control of the frequency and timing of login requests. 
This situation is undesirable because the router or access server must respond to all login 
requests, even the repeated attempts of a hacker to guess a username and password 
combination. (This is known as a brute force attack.) PAP also sends passwords as cleartext 
over the media, which means that a strategically placed packet sniffer could capture and easily 
decode the password. 


For more secure access control, use CHAP instead of PAP as the authentication method. You 
should use PAP only when you find that hosts running legacy software may not support CHAP. 
In this case, PAP is your only authentication option. 


Always configure asynchronous lines to require authentication. PPP gives you the option of 
requiring that callers authenticate using one of two authentication protocols, PAP or CHAP. 
However, if you are using PPP over a point-to-point leased line, authentication is unnecessary 
and should not be configured. 


Note Most Internet service providers (ISPs) use PAP and CHAP because of the relative 
management ease and the reduced number of support calls. 
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PAP Configuration Example 


This topic describes how to configure PAP authentication on a Cisco router. 


PAP Configuration Example 
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In the figure shown, two routers, RouterA and RouterB, are connected across a network. 


Perform the following steps to configure PAP authentication: 


Step 1 
Step 2 
Step 3 


Step 4 


Step 5 
Step 6 


On each of the interfaces, specify encapsulation ppp. 
Enable the use of PAP authentication with the ppp authentication pap command. 


Configure the router with a local username and password database, using the global 
configuration command username username password password, or point it to a 
network host that has that information (such as a TACACS+ server). The username 
and password must match the username and password in the remote router ppp pap 
sent-username command. 


Configure the router with the ppp pap sent-username command, which must match 
the username username password password statement on the remote host or router. 
Note that in the RouterA configuration, the ppp pap sent-username command is 
used to specify the username and password information to send in the event that it 
dials RouterB and is asked to authenticate. RouterB is also configured to send a 
username and password for PAP, if challenged. The name included with the 
username and dialer map commands is case sensitive. If the remote host name is 
RouterA and you create a username entry for rta instead, authentication will fail. 


Configure IP addresses on the interfaces. 


To ensure that both systems can communicate properly, configure the dialer-map 
command lines for each router. If each router is configured with a dialer-map 
command, each system will know what to do with authentication issues because the 
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systems will have prior knowledge of each other. The dialer-map command also 
contains the telephone number to dial to reach the specified router. 
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PPP Using CHAP Authentication 


This topic describes the CHAP authentication process. CHAP authentication does not send 
passwords in plaintext. 


PPP Using CHAP Authentication 
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When using CHAP, the router sends a challenge message to the remote node after the PPP link 
is established. The remote node responds with a value calculated by using a one-way hash 
function, typically message digest algorithm 5 (MD5). The router checks the response against 
its own calculation of the expected hash value. If the values match, the authentication is 
acknowledged. Otherwise, the connection is immediately terminated. Thus, the actual username 
and password are not sent over the media. 


CHAP provides protection against a playback attack through the use of a variable challenge 
value that is unique and unpredictable. The use of repeated challenges every 2 minutes during 
any CHAP session is intended to limit the time of exposure to any single attack. The router (or 
authentication server, such as TACACS+) controls the frequency and timing of the challenges. 
A major advantage of the constantly changing challenge string is that the line cannot be sniffed 
and played back later to gain unauthorized access to the network. 


Copyright © 2004, Cisco Systems, Inc. Configuring PPP Features 3-33 


3-34 


CHAP in Action—Challenge 
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This figure illustrates the following steps in the CHAP authentication process between the two 
routers: 


iF 
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The call arrives on an interface configured for the ppp authentication chap command. 
Therefore, a CHAP challenge from RouterA to the calling router RouterB is required on 
this call. 


A CHAP challenge packet is built with the following characteristics: 


“01” = challenge packet type identifier 
— “id” = sequential number that identifies the challenge 
— “random” = a reasonably random number 
—  “RouterA” = the authentication name of the challenger 


The “id” and “random” values are kept on the access server. 
The challenge packet is sent to the caller. 


A list of outstanding challenges is maintained. 
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CHAP in Action—Response 


User dials in 


id | random |/RouterA 


02 | id hash RouterB 


This figure illustrates the receipt and MDS processing of the challenge packet from the server. 


The calling router processes the CHAP challenge packet in the following manner: 


1. The “id” value and “random” value are fed into the MDS hash generator. 
2. The name “RouterA” is used to look up the password. 


3. The password is fed into the MDS hash generator. 


The one-way hash result is then used to form a response packet containing the following: 
m “02” = CHAP response packet type identifier 
m “id” = number copied from the challenge packet 


m “hash” = the output from the MDS hash generator (the hashed information from the 
challenge packet) 


m= “RouterB” = the authentication name of this caller 


The result is a one-way MD5-hashed CHAP challenge that will be sent back in the CHAP 
response. 
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CHAP in Action—Verification 
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This figure shows the response packet processing that occurs on the challenger. 


The CHAP response packet is processed in the following manner: 


1. The “id” value is used to find the original challenge packet. 
2. The “id” value is fed into the MDS hash generator. 
3. The original challenge “random” value is fed into the MDS hash generator. 


4. The name “RouterB” is used to look up the password (this name can be used to identify this 
session) from the local database, TACACS server, or RADIUS server. 


5. The password is fed into the MDS hash generator. 


6. The hash value received in the response packet is then compared to the calculated MD5 
hash value. 


CHAP authentication succeeds if the calculated and the received hash values are equal. 
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CHAP in Action—Result 
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The figure illustrates the success message being sent to the calling router. 


If authentication is successful, a CHAP success packet is built from the following components: 

m “03” =CHAP success message type 

m= “id” = number copied from the response packet 

m “Welcome in” is simply a text message of some kind, meant to be a user-readable 
explanation 

If authentication fails, a CHAP failure packet is built from the following components: 

m “04” = CHAP failure message type 

m= “id” = number copied from the response packet 

m= “Authentication failure” or some such text message, meant to be a 


user-readable explanation 


The success or failure packet is then sent to the caller. 
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CHAP Configuration Example 
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This topic describes how to configure CHAP authentication on a Cisco router. 


Configuring CHAP Example 
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Configuring CHAP is straightforward. As with the PAP example, RouterA and RouterB are 
connected across a network. Use the following steps as a guide to configuring CHAP 
authentication: 


Step 1 On each of the interfaces, specify the encapsulation ppp command. 


Step 2 Enable the use of CHAP authentication with the ppp authentication chap 
command. 


Step 3 You must also configure the usernames and passwords. Use the command username 
username password password, where username is the hostname of the peer. 


The passwords must be identical at both ends. 
The router name and password are case sensitive. 
Router (config)# username username password password 


Step 4 Configure the router with a local username/password database, using the global 
configuration command username username password password, or point it to a 
network host that has that information (such as a TACACS+ server). By default, the 
router uses its hostname to identify itself to the peer. Therefore, the username must 
match the remote host hostname. 


However, if you want the router to send a different username and password, you have the 
option of specifying this username and password with the commands: 


Router (config-if)# ppp chap hostname name 
Router (config-if)# ppp chap password password 


Step 5 Configure IP addresses on the interfaces. 
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CHAP and PAP Configuration Authentication 


This topic describes how to configure both CHAP and PAP authentication on a Cisco router. 


Configuring CHAP and PAP Authentication 


Router (config-if)# ppp authentication pap chap 


¢ Enables both CHAP and PAP, and performs PAP 
authentication before CHAP 


Router (config-if)# ppp authentication chap pap 


¢ Enables both CHAP and PAP, and performs 
CHAP authentication before PAP 


Both PAP and CHAP authentication can be configured on an interface. The first method 
specified is requested during link negotiation. If the peer suggests using the second method or 
simply refuses the first method, then the second method will be tried. This command can be 
useful because some remote devices support only CHAP and others only PAP. 


Copyright © 2004, Cisco Systems, Inc. Configuring PPP Features 3-39 


Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
ee eee iS LOO | 


¢ PAP authentication sends password in plaintext. 


¢ CHAP authentication sends passwords in 
encrypted text. 


¢ Both PAP and CHAP authentication can be 


configured on an interface. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


Q5) 


During the PPP authentication process, and after the system checks the authentication 
response sent back from the security server or local database, what happens if the 
response is positive? 

A) The user is rejected immediately. 

B) Nothing occurs. 

C) The PPP process is started. 

D) The user is prompted for a credit card authorization code. 


Which authentication protocol would be used if you have decided to use an 
authentication protocol on your router? 


A) POP 

B) CHAP 
Cc) TFTP 
D) ‘ICMP 


Which command is used to enable the use of PAP authentication on a Cisco router? 
A) pap authentication ppp 

B) chap authentication ppp 

C) ppp authentication chap 

D) ppp authentication pap 


Which Cisco router authentication protocol provides protection against a playback 
attack through the use of a variable challenge value that is unique and unpredictable? 


A) PAP 

B)  ‘TFTP 
C) CHAP 
D) ICMP 


Which two information items in the local database are essential in configuring the 
CHAP authentication protocol? 


A) username and user password 

B) username and user phone number 
C) username and user birthday 

D) username and user hire date 


Copyright © 2004, Cisco Systems, Inc. Configuring PPP Features 3-41 


Q6) Which of the following commands enables both PAP and CHAP authentication on an 
interface, but performs CHAP authentication before PAP authentication? 


A) router(config-if)# ppp authentication pap chap 
B) router(config-if)# pap authentication chap ppp 
C) router(config-if)# ppp authentication chap pap 
D) router(config-if)# chap authentication pap ppp 
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Quiz Answer Key 


Ql) 


Q3) 


Q4) 


Q5) 


Q6) 


Cc 


Relates to: 


B 


Relates to: 


D 


Relates to: 


Cc 


Relates to: 


A 


Relates to: 


Cc 


Relates to: 
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PPP Authentication 


PPP Using PAP Authentication 


PAP Configuration Example 


PPP Using CHAP Authentication 


CHAP Configuration Example 


CHAP and PAP Configuration Authentication 


Configuring PPP Features 
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Configuring LCP Options: 
Callback and Compression 


Overview 


When you can create PPP connections, you may want to take advantage of other PPP LCP 
options. These options include PPP callback and several types of compression. This lesson 
explains how to configure a PPP callback server and a PPP callback client, and how to enable 
various types of compression. 


Relevance 


The callback feature can be useful to control access and toll costs between hosts because only 
the two authenticated hosts will participate in the WAN connection. Compression is valuable 
for maximizing limited capacity on a WAN link. 


Objectives 
Upon completing this lesson, you will be able to: 
m™ Describe how to implement and configure PPP callback 
™ Configure a PPP callback server using Cisco IOS commands 
™ Configure a PPP callback client using Cisco IOS commands 
m= List and describe the various compression schemes supported by Cisco routers 
= Configure compression using Cisco IOS commands 


m Identify that compression is occurring use show commands 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Jnterconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 


Overview 

PPP Callback Overview 

Asynchronous Callback Operation Flowchart 
PPP Callback Operation 

Asynchronous Callback Line and Interface Commands 
PPP Callback Client Configuration 

PPP Callback Server Configuration 
Compression and PPP 

Compression Configuration 

Compression Verification 

Summary 


Quiz 
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PPP Callback Overview 


This topic describes the PPP callback configuration. 


PPP Callback Implementation 
Considerations 


2 


Hold-Queue Started 


| Caliback 


Callback Callback 
Server 


Client Called 


Callback PPP PAP or CHAP Negotiation Begins Callback 
liewt i ~~ + - Server 
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PPP callback is an LCP option used over dialup links. PPP callback provides a client/server 
relationship between the endpoints of a point-to-point connection. PPP callback allows a dialup 
client to request that a dialup server call back. The callback feature can be used to control 
access and toll costs between hosts. 


When PPP callback is configured on two routers, the calling router (the callback client) passes 
authentication information to the remote router (the callback server), which uses the host name 
and dial string authentication information to determine whether or not to place a return call. If 
the authentication is successful, the callback server disconnects, and then places a return call. 
The remote username of the return call is used to associate it with the initial call so that the 
packets can be transmitted. 


Both routers on a point-to-point link must be configured for PPP callback. One router must 
function as a callback client; the other router must be configured as a callback server. The 
callback client must be configured to initiate PPP callback requests. The callback server must 
be configured to accept PPP callback requests and place return calls. 


When the client router dials the initial call, the router hold-queue timer is started. Calls to this 
destination will not be made again until the hold-queue timer expires. The timer is stopped if 
PPP LCP negotiation is successful or if the call fails. 


Note the following regarding rotary groups including ISDN: 


m If the enable time is too long and another user dials into the last interface before the enable 
timer expires, the return call will never be made. 

m= If an interesting packet arrives at the server during the enable time, the dialer may use the 
last interface for the interesting packet and the return call will never be made. 
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When planning to implement PPP callback, consider the following: 
m Authentication is required for callback to be successful. 


m= The dialer enable-timeout command specifies the time in seconds that the Cisco IOS 
software waits before the next call can occur on the specific interface. This value must be 
greater than the serial pulse interval for the interface that is set using the pulse-time 
command. Acceptable values are positive, nonzero integers. 


m= The dialer hold-queue timeout command determines how long to wait before the client 
can make another call to the same destination. The server must make the return call before 
the client hold-queue timer expires to prevent the client from trying again and possibly 
preventing the return call from being connected. 


The hold timer on the callback client should be approximately four times longer than the server 
hold-queue timer. 


Note The dialer redial command could also be used to customize the number of redial attempts 
and the interval between redial attempts. 
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Asynchronous Callback Operation Flowchart 


This topic describes the general steps that occur during a typical PPP callback exchange. 


Asynchronous Callback 
Operation Flowchart 


Call Initiated ———> 
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The asynchronous callback feature supports EXEC, PPP, and ARA Protocol sessions. The main 
motivation for callback is telephone bill consolidation and dialup cost savings. Although 
asynchronous callback is not positioned as a security feature, it enforces security by making 
callbacks only to telephone numbers assigned in the authentication database. The incoming 
calls go through the normal login process and must pass authentication before callback can 
occur. 


The callback feature employs a two-pass process: 


m™ On the first pass the callback engine determines which target line to use for callback to the 
remote user and then hangs up on the incoming line. Then the callback engine dials back to 
the remote user through the target line using the dial string provided. 


m™ On the second pass the callback engine proceeds normally as if there is no callback. 


Note To make callback work properly, you must make sure that callback is configured for each 
autoselect protocol (PPP, SLIP, or ARA Protocol) that is defined for any given remote user. 
Otherwise, the remote dial-in autoselect process may work, but no callback will occur. 
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PPP Callback Operation 


This topic describes the steps that occur during a typical PPP callback exchange. 


PPP Callback Operation 


Callback Client Callback Server 


a7 —_z_- @ 
Call Initiation (1) 


(2) Call Acknowledgment 
ee 
User Authentication (3) 
‘a’ 
(4) Server-To-Client Dial String Identified 


Initiating Call Disconnected (8) 


ia 


‘ \ 6) Client Called 
Authentication @ 
ra’ 
(8 
Connection Proceeds 
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PPP callback operation consists of the following steps: 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


The callback client initiates the call. The client requests callback using the callback 
option during the PPP LCP negotiation phase. 


The callback server acknowledges the callback request and checks its configuration 
to verify that callback is enabled. 


The callback client and server authenticate using either CHAP or PAP 
authentication. The username identifies the dial string for the return call. 


After successful initial authentication, the callback server router identifies the 
callback dial string. The callback server compares the username of the authentication 
to the host name in a dialer map table. The dial string can be identified by a mapping 
table or by the Callback Option Message field during PPP LCP negotiations. The 
Callback Option Message field is defined in RFC 1570. 


m= Ifthe commands dialer callback-secure, ppp callback accept, and ppp 
authenticate pap or ppp authenticate chap are enabled on an interface, all 
calls answered on that interface are disconnected after authentication, and the 
callback server proceeds with Steps 5 through 8. 


= Ifthe dialer callback-secure command is not enabled, the callback server will 
maintain the initial call if the authenticated username is not configured for 
callback. 


The callback server rejects the initiating call. Therefore, there is no cost to the 
calling party. 
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Step 6 The callback server uses the dial string to initiate the callback. If the return call fails, 
no additional calls are attempted. Callback is not negotiated on the return call. 


Step 7 If the return call succeeds, authentication occurs. 


Step 8 The connection is established, and data is exchanged. 
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Asynchronous Callback Line and Interface 


Commands 


This topic describes the commands that are used for enabling asynchronous PPP callback on 


the callback server. 


Asynchronous Callback 
Line/Interface Commands 


Router (config)# line line-number 


Router (config-line)# callback forced-wait seconds 


Router (config-line)# script callback script-name 


° On the callback server 
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The asynchronous line configurations or asynchronous interface commands for PPP callback 
are shown in the table. 


PPP Callback Commands 


Command Description 

ppp callback This interface command allows the specified interface to accept a callback request 
accept initiated from a remote node (per RFC 1570). 

ppp callback This interface command allows the router to initiate a callback to a remote node 
initiate when the remote node is capable of putting itself in an answer mode for callback. 


callback forced- 
wait seconds 


This line command allows an additional wait (in seconds) before the callback chat 
script is applied to the outgoing target line. This option accommodates modems 
that require a longer “resting” period before any input can be accepted again. 


script callback 
script-name 


This line command specifies a chat script to issue AT commands to the modem 
during a callback attempt made to the target asynchronous line. This command is 
used for EXEC and PPP callbacks. 
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PPP Callback Client Configuration 


This topic describes the commands that enable PPP callback on the callback client. 


PPP Callback Client Configuration 
SS ( ———— 


Caliback Client Callback Server 


10.1.4.8 —_ ay 2 a 10.4.1.7 


A 
Router 678 Router® 


RouteraA (config) fusername Router paseword itessecret 
RouterA (config) finterface seriald 
RouterA(config-if)#ip address 10.1.1.6 255.255.0 


RouterA (config-if) #encapsulation ppp 


Routera (config-if) @dialer map if 10.1.1.7 name RouterB 5551234 
RouterA (config-if) #dialer-group 1 


RouterA(config-if)#ppp ce mae 
RouterA(config-if)#ppp authentication chap callin 
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To configure client PPP callback so that all calls over this interface will request callback, 
perform the following tasks: 


Step 1 Configure PPP on the serial or ISDN interface. 


Step 2 Set up a dialer map with the dialer map ip and dialer-group commands. Be sure 
that the dialer map command has a name field with the correct name of the server. 
In this example, the server is named RouterB. 


Step 3 Configure the router interface as the callback client using the ppp callback request 
command. 


Step 4 Set the authentication to CHAP using the ppp authentication chap command. 


Note You can use the optional dialer hold-queue timeout or dialer redial commands to specify 
the number of seconds that the callback client waits for a return call from the callback server. 
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PPP Callback Server Configuration 


This topic describes the commands that are used to configure PPP callback on the callback 
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server. 


PPP Callback Server Configuration 


Callback Client 


fouterS{toconfag)@username RouterA password itesasecret 
RouterB(config)#interface serial? 
RouterBiconfig-af)@ip address 10.1.3.7 255.255.255.0 
Router (config-if)@encapsulation ppp 
RowuterBlconfig-if) @dialer callbeck-secure 
RowuterRloonfig-if) @tialer map ip 10.3.3.8 mame RowtorA class DialMeRect 5555678 
RouterRloofig-3f}) @cialer-group 1 
‘RosterB(config-if)@ppp callback accept 
RouterBlconfig) *ppp authentacation chap 

' 

RouterB (config) @map-class dialer DialMeBack 


Row ter (config-inap class) @diasler callback-server usernne 


BCRAN v2.1-3-7 


To configure PPP callback for a server, perform the following steps: 


Step 1 


Step 2 


Step 3 


Step 4 
Step 5 


Step 6 


Configure IP on the dial-in line. 


Use the dialer callback-secure command to disconnect calls that are not properly 
configured for callback. If the username specified in the dialer map command is not 
authorized for callback, the call will be disconnected. If the dialer callback-secure 
command is not configured, it will allow both callback and noncallback clients. 


Configure the dialer map including a map class “DialMeBack” to establish PPP 
callback. 


Use the ppp callback accept command to enable callback. 
Define the PPP authentication method with the ppp authentication chap command. 


Configure the dialer callback-server username command in a dialer map class to 
identify the name used in the dialer map as a valid callback client. 


When the callback client router dials in and is authenticated, the call will be disconnected. For 
example, in the figure, a return call will be made to 555-5678 as configured by the dialer map 
command. The dialer map command identifies the map class to be used for this connection. 
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Compression and PPP 


This topic describes the various compression schemes that are available on Cisco routers. 


Cisco routers can also maximize performance using data compression, enabling higher data 


Supported Compression Algorithms 


Compression Decompression 


——_—» fied - - 1Z6kops Bee eS —. 
128 to 384 kbps 


Compressed 128 to 284 kbps 
Data 


¢ Predictor 
° Stacker 
° MPPC 


Compression 
Ratios TCP header 
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throughput across the link, especially for low-speed links. 


Cisco compression schemes are as follows: 


Stacker: A Lempel-Ziv (LZ)-based compression algorithm looks at the data and sends 
each data type only once. The data type includes information about where the type occurs 
within the data stream. The receiving side uses this information to reassemble the data 
stream. 


MPPC: MPPC Protocol (RFC 2118) allows Cisco routers to exchange compressed data 
with Microsoft clients. MPPC uses an LZ-based compression algorithm. 


TCP header compression: This type of compression, also known as Van Jacobson 
compression, is used to compress only the TCP headers. 


Predictor: Determines if the data is already compressed. If the data is compressed, the data 
is sent. No time is wasted trying to compress data that is already compressed. 


Compression is an option that is negotiated by LCP. Therefore, if the remote party that is being 
called is not configured for compression, no compression will take place. 


The highest compression ratio is usually reached with highly compressible text files. 


Compressed files such as Joint Photographic Experts Group (JPEG) graphics or Motion Picture 


Experts Group (MPEG) files, or files that were compressed with software such as PKZIP or 


StuffIt, will be compressed only 1:1 or less. 
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If you frequently transfer already-compressed data, such as graphics and video, you must 
consider global compression. Trying to further compress already-compressed data can take 
longer than transferring the data without any compression at all. Ideally, you can attain 2:1 or 
3:1 compression for information that has not already been compressed. Expect an average of 
1.6:1 compression for mixed compressed and uncompressed source data. 


Typically, you should configure compression only on low-speed links because the router 
compresses data using software, which requires router CPU time and memory. Some 
algorithms are more memory intensive, while others are more CPU intensive. For example: 


= More CPU intensive: Stacker, MPPC 


= More memory intensive: Predictor 


Memory-intensive algorithms require an extra memory allowance. CPU-intensive algorithms 
require more CPU cycles. In either case, the ability of the router to route packets is impaired by 
the drain on its resources. 


You should take memory and CPU usage into consideration when you are implementing 
compression on a specific router. Some routers with slow CPUs or inadequate memory can be 
overloaded when configured to compress traffic. If you are using a Cisco 2500 Series or faster 
processor router, either of these methods should be acceptable if you have sufficient memory in 
the router. Use caution with smaller systems that have less memory and slower CPUs, and 
ensure that you are not overloading the router. 


Cisco recommends that you disable compression if the CPU load exceeds 65 percent. To 
display the CPU load, use the show process cpu command. 


Predictor compression is recommended when a bottleneck is caused by a high load on the 
router. Stacker compression is recommended when the bottleneck is caused by bandwidth 
limitations on a line. 
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Compression Configuration 


This topic discusses the commands that enable compression on a Cisco router. 


Interface Compression Algorithms 


Router (config)# int async 2 
Router (config-int) # ip tcp header-compression 


Router (config)# int async 2 
Router (config-int)# ip tcp header-compression passive 


¢ TCP Header 


Configuring for compression is simple. From the interface, issue the compress predictor, 
compress stac, compress mppc, or ip tcp header-compression command on both sides of the 
link. 


TCP header compression is an option negotiated by LCP. The TCP header compression 
technique is described in RFC 1144. 


TCP header compression is supported on serial lines that use HDLC, PPP, or SLIP 
encapsulation. You must enable TCP header compression on both ends of the connections for it 
to work. Only TCP headers are compressed. User Datagram Protocol (UDP) headers are not 
affected. Header compression is useful on networks with a large percentage of small packets, 
such as those supporting many Telnet connections. 


Configure TCP header compression by using the ip tcp header-compression command. The 
optional ip tep header-compression passive command specifies that TCP header compression 
is not required but will be used if the router receives compressed headers from its link partner. 


Note Cisco IOS software includes the PPP commands ppp compression predictor and ppp 
compression stacker. Using these commands has exactly the same effect as using the 
compress predictor and compress stac commands, respectively. For example, if you 
enter the ppp compression stacker command, it will appear as compress stac in the 
configuration file. 
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Compression Verification 


This topic describes the commands that are used to verify compression activity. 


Using the show compress Command 
= 8 | 


Routerl+ show ccmpressa 
Serialz2 


uncompressed bytes xmt/roev &1951/85509 
1 min avg ratio xmt/rov 0.789/0.837 
5 min avg ratio xmt/rev 0.763/0.837 


10 man avg ratio amt/rov 0.785/0.837 
mo buts x.mt © no bufs rov 0 


restarts 0 
Additional Stacker Stats: 
Transmit bytes: Uncompressed 28049 Compressed = 65745 
Received bytes: Compressed = 74744 Uncompressed =0 
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Verify compression by using the show compress command in privileged EXEC mode to view 
compression statistics. This example shows report statistics for an interface that is configured 
with Stacker compression. The report includes the number of compressed bytes that are 
received and transmitted by the interface. 


Uncompressed Bytes 


This line provides an uncompressed byte count of compressed data. It does not include packets 
that cannot be compressed. 


uncompressed bytes xmt/rcev 81951/85500 


Throughput Ratio 


The next section of output is a ratio of the data throughput gained or lost in the compression 
routine. Any number less than one (1) indicates that the compression is actually slowing down 
the data throughput. It does not reflect the data compressibility. 

1 min avg ratio xmt/rcev 0.789/0.837 

5 min avg ratio xmt/rcv 0.789/0.837 

10 min avg ratio xmt/rcv 0.789/0.837 
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Buffer Allocation 


This line indicates the number of times the compression routine was not able to allocate a 
buffer to compress or decompress a packet: 


no bufs xmt O no bufs rev 0 


Bytes Transmitted 


The uncompressed value is the amount of data that could not be compressed and that the router 
sent in an uncompressed format. The compressed value is the byte count of the data after 
compression. The sum of these two values represents the actual number of bytes that are 
transmitted on the interface, minus the Layer 2 encapsulation overhead. 


Transmit bytes: Uncompressed = 28049 Compressed= 65745 


Bytes Received 


The compressed value is the byte count of the compressed data received. The uncompressed 
value is the amount of data received in uncompressed format. The sum of these two values 
represents the actual byte count received on the interface, minus the Layer 2 encapsulation 
overhead. 


Received bytes: Compressed = 74738 Uncompressed= 0 


Interpreting the show compress Command Output 
From this output, the following calculations can be made: 


= Total amount of data to be transmitted before applying the compression routine: 81,951 + 
28,049 = 110,000 


= Total amount of data to be transmitted after compression: 28,049 + 65,745 = 93,794 
m= Overall data compression: 110,000 / 93,794 = 1.17 
= Compression ratio of the compressed packets: 81,951 / 28,049 = 2.92 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
ee i ESL OO 


¢ The callback feature can be used to control access 
and toll costs between hosts. 


¢ PPP callback is an LCP option used over dialup 
links. 


* The asynchronous callback feature supports EXEC 
and PPP. 


* Cisco routers can also maximize performance 
using data compression, which enables higher 
data throughput across the link. 


* To verify compression, use the show compress 
command in privileged EXEC mode. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS5) 


Which LCP option feature does a Cisco router use over dialup links? 
A) PAP callback 

B) NCP callback 

C) PPP callback 

D) LCP callback 

Which of the following session types is supported by the asynchronous callback 
feature? 

A) EXEC, PPP, and ARA Protocol 

B) TTT, IPC, and OPX 

C) ASC, CB, and FS 

D) AUX, CON, and TTP 


Which party initiates the call in the PPP callback process? 

A) callback server 

B) callback client 

C) caller ID 

D) three-way calling service 

Which interface command allows the router to initiate a callback to a remote node 
when the remote node is capable of putting itself in an answer mode for callback? 
A) callback forced-wait seconds 

B) ppp callback initiate 

C) ppp callback accept 


D) script callback script-name 


Which command configures the router interface as the PPP callback client? 
A) ppp authentication pap 

B) ppp dialer map id 

C) ppp callback request 

D) ppp authentication chap 
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Q6) | Which command is used to disconnect calls that are not properly configured for PPP 
callback? 


A) dialer map 

B) dialer callback-secure 
C) dialer group 

D) dialer hold 


Q7) — Which of the Cisco compression algorithms determines whether the data is already 
compressed before sending the compressed data? 


A) MPPC 
B) Predictor 
C) Stacker 


D) TCP header compression 
Q8) | When TCP header compression is enabled on both sides of the router, which headers 
are compressed? 
A) UDP headers 
B) TCP headers 
C) PPC headers 
D) STA headers 
Q9) Which command is used in privileged EXEC mode to view compression statistics to 
verify compression? 
A) show stacker 
B) show predictor 
C) show MPPC 


D) show compress 
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Quiz Answer Key 


Ql) Cc 
Relates to: PPP Callback Overview 
Q2) A 
Relates to: Asynchronous Callback Operation Flowchart 
Q3)  B 
Relates to: PPP Callback Operation 
Q4)  B 
Relates to: Asynchronous Callback Line and Interface Commands 
Q5) Cc 
Relates to: PPP Callback Client Configuration 
Q6) B 
Relates to: PPP Callback Server Configuration 
Q7)  B 
Relates to: Compression and PPP 
Q8)  B 
Relates to: Compression Configuration 
Q9) D 


Relates to: Compression Verification 
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Configuring LCP Options: 
Multilink PPP 


Overview 


Multilink PPP (MLP) allows two or more connections to be bundled into a single virtual 
connection. These bundles can be established through both circuit-switched and leased-line 
topologies. This topic describes the use and operation of MLP. 


Relevance 


You should know how to configure MLP for situations when additional bandwidth is desired, 
such as during periods of high utilization. 


Objectives 
Upon completing this lesson, you will be able to: 
m= Describe MLP operation and concepts 


™ Configure MLP 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 


Overview 

Multilink PPP Overview 

Multilink PPP Operation and Configuration 
Multilink PPP Example 


Summary 


Quiz 
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Multilink PPP Overview 


This topic describes MLP over parallel circuits. 


Why Use MLP? 
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MLP is an LCP option that permits a system to signal that it is capable of combining multiple 
links into a bundle. MLP can improve throughput and reduce latency between systems by 
splitting Layer 3 packets and sending the fragments over parallel circuits. It is important to 
remember that MLP works by splitting packets into fragments, not by load-balancing complete 
packets to a destination. 


Prior to the adoption of MLP (described first in RFC 1717), there was no standardized way to 
use both of the ISDN B channels of a BRI and also ensure proper sequencing. MLP is 
interoperable between Cisco routers running Cisco IOS software and most routers that comply 
with the most recent MLP standard, RFC 1990. 


Typically, you should use MLP with applications, in which bandwidth requirements are 
dynamic, such as remote LAN access applications for SOHO environments. When user traffic 
exceeds a predefined threshold, an additional physical link (such as a B channel) can be 
brought up to handle the burst of traffic. 


MLP solves several problems related to load balancing across multiple WAN links, including 
the following: 


m= Multivendor interoperability, as specified by RFC 1990, which replaces RFC 1717 


m= Packet fragmentation, improving the latency of each packet (supports RFC 1990 
fragmentation and packet-sequencing specifications) 


m Packet-sequence and load calculation 


This feature negotiates the Maximum Receive Reconstructed Unit (MRRU) option during the 
PPP LCP negotiation to indicate to its peer that it can combine multiple physical links into a 
bundle. 
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Multilink PPP Operation and Configuration 


This topic demonstrates how to configure an MLP connection on two parallel circuits. 


MLP Operation and Configuration 


Rotary Group 


___|| &==<  1S0N 
A 


Router (config-if)#ppp multilink 


¢ Enables MLP on an interface 


Router (config-if)#dialer load-threshold load 
[outbound | inbound | either] 


¢ Defines the threshold to bring up another link 
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The ppp multilink interface configuration command enables MLP on an interface. The 
interface must use PPP encapsulation. The maximum number of links in a bundle is the number 
of interfaces in the dialer or ISDN interface. To limit the number of links in a multilink bundle, 
include the ppp multilink links maximum /inks command on the MLP interface. 


The dialer load-threshold command enables a dialer rotary group to bring up links and add the 
links to a multilink bundle. The load threshold is expressed as a ratio of x/255, with a value of 
128, meaning 50 percent bandwidth utilization. This command allows threshold determination 
for the following: 


™ Outbound traffic only (default) 
= Inbound traffic only 


m= The maximum of either inbound or outbound traffic 
It is necessary to configure only one end of a link for load threshold. 


To ensure proper load calculation, be sure to set the correct interface bandwidth using the 
bandwidth command. 


Note Standard dial-on-demand routing (DDR) configuration should be in place before you 
configure MLP. 


3-68 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright #: 2004, Cisco Systems, Inc. 


Multilink PPP Example 


This topic discusses the steps that are necessary in configuring an MLP connection. 


MLP Example 


RouteraA (oont=ig) #antertsce BRIO 

RoutezA(contig-it)#ap address 192.169.12.3.255.255.255.240 
RouterA (eanfie=-if)# anoapsulation ppp 

RouterA(confic-if)# dialer mep ip 192,166.12.1 neme ROUTER: 5554322 
RouterA (cenfig-if) # dialer-group 1 


RoubterA(cenflic-if)# ppp authenticaticn chap 
RouterA (config-if) dialer load-threshold 1 either 


Only two commands must be added to this interface configuration to make MLP possible. The 
router at the other end of the call must be similarly configured. These two commands are: 


m= The ppp multilink command 


m= The dialer load-threshold /oad [outbound | inbound | either] command 


The ppp multilink command activates the interface for MLP operation and allows negotiation 
of the protocol at connect time, thus establishing a single-channel MLP bundle. However, this 
command is not sufficient to take advantage of the fragmentation, load-balancing, or 
bandwidth-on-demand features of the protocol. 


The dialer load-threshold /oad command sets the point at which additional B channels will be 
added to the MLP bundle. When the total load of all up B channels is greater than the load 
threshold, the dialer interface (in this case, the BRI or PRI) adds an extra channel to the 
multilink bundle. In a similar way, if the total load for all the up B channels, minus one (n — 1) 
is at or below the threshold, channels will be taken down. 


The load argument is the average load for the interface. It is a value from 1 (unloaded) to 255 
(fully loaded). 


The outbound argument sets the load calculation to be made on outbound traffic only. The 
inbound argument sets the load calculation to be made on inbound traffic only. The either 
argument sets the load as the larger of the outbound and inbound loads. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
ee es an MOO | 


¢ MLP allows several connections to be bundled into 
a single virtual connection. 


° MLP is controlled by adding a 2- or 4-byte 
sequencing header in the PPP frame that indicates 
sequencing for the fragments. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) Why use MLP? 


A) 


B) 


C) 


D) 


MLP can improve throughput and reduce latency between systems by splitting 
Layer 3 packets and sending the fragments over parallel circuits. 


MLP can reduce throughput and improve latency between systems by splitting 
Layer 3 packets and sending the fragments over parallel circuits. 


MLP can improve throughput and increase latency between systems by 
splitting Layer 3 packets and sending the fragments over parallel circuits. 


MLP can reduce throughput and reduce latency between systems by splitting 
Layer 3 packets and sending the fragments over parallel circuits. 


Q2) Which command enables a dialer rotary group to bring up additional links to form a 


multilink bundle? 

A) ppp multilink 

B) dialer threshold 

C) dialer load-threshold 
D) bandwidth 


Q3) | Two commands must be added to the interface configuration to make MLP possible. 


The router at the other end of the call must be similarly configured. What are these two 


commands? 

A) ppp multilink and dialer group 

B) ppp multilink and dialer load-threshold /oad [outbound | inbound | either] 
C) ppp multilink and dialer map 

D) ppp multilink and dialer encapsulation 
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Quiz Answer Key 


Ql) A 

Relates to: Multilink PPP Overview 
Q2) Cc 

Relates to: Multilink PPP Operation and Configuration 
Q3)  B 


Relates to: Multilink PPP Example 
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Verifying and Debugging PPP 


Overview 


After you have configured PPP, you may need to troubleshoot an incorrect configuration for 
intended data travel on the PPP link. This topic describes how to verify and debug a PPP 
connection. 


Relevance 


Verification and debugging commands help troubleshoot nonworking PPP connections. 


Objectives 
Upon completing this lesson, you will be able to: 
m™ Verify proper PPP configurations using show commands 
m™ Verify proper dialer configurations using show commands 


m Identify the anomalies in PPP configurations using debug commands 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m= All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Jnterconnecting Cisco Network Devices (ICND) course 


Outline 


3-74 


This lesson includes these topics: 


Building Cisco Remote Access Networks (BCRAN) v2.1 


Overview 

PPP Verification 

show dialer Command Example 
PPP Debugging 

Multilink Verification 


Summary 


Quiz 
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PPP Verification 


This topic identifies the commands that verify PPP and link control protocol (LCP) options on 
a Cisco router. 


show interface Command astll 


Routor®’® chow intortacne hrto 7 
BML: Se Cimmimwel 1 as up dom proetlecct os up 
Merdware ia ERT 


MTtI 1890 byresa, SW 64 Kho, OLY 20000 usec, rely 288/985, land 1/288 
Encapoulutlico PPP, lecpbuvck oul vel, koupulave oul sul 


st cnpet Cc Sl, ocutpet C.0f-52, output hang never 
Last clearing of "show interface" counters mever 


Input queue: OF 9S/0 (mise /maz/cropeh: Total output doupe: U 
Butput queue. 6/64/99 (size/threshold/ drope) 
Convermations Of1 {(mctive/meax active} 
Reserved Corvaraattene O/0 (a) l scented /may 2] scared) 
S winute inpur rate © bite/eec, 0 packets/ser 
§ sinute output mite 6 bite/snna, © packeta f/m 
15 packets inpet, 804 bytes, 0 no burfer 
Received 0 brond=msats, © runts, 0 giants 
D anpwt errors, 9 CRC, © trame, 9 cverrun, U ignored, U abert 
14 packets output, SOC bytes, © uncasruns 
SD cutpwut eeccersz. © solliszion=, 9 <ntert ace resets. 0 cantacta 
9 cutput buffar failures. 0 sutput buffers avapped aut 
1 earriar transitiens 
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The show interface command is the best way to verify that a PPP connection has been 
established.Command output indicates this by showing the status IP in IPCP as OPEN. 


The show interface bri command also displays multilink status. The multilink field for the 


individual B channel shows the LCP multilink status as OPEN if the multilink is active. If it is 
enabled, but not active, the status is CLOSED. 
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show dialer Command Example 


3-76 


This topic demonstrates the show dialer command to verify proper PPP operation. 


show dialer Command Example 
ee ree eee ee a SOO | 


eoutert show diules 


BRIO/O - dialer type - [sor 


Daal Scring Successors 
5551235 3 
5551234 21 


Janmcomng callis) have been screened. 
3D incoming call(s) rejected for callback. 


mRID/O=2 ciialeac fype = IScN 
Title timer (69 seood, FPaet idle timer (206 
Re-enable (15 


Wait for ca~ 30 sec 


BRIO/O0:2 - dialer type = IT&0N 


Idle timer (€9 oecar, Faot 
Waat for sa srier 
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Lanz status 


suceasezul 
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Use the show dialer, or the show user, and show line commands to determine if PAP or 
CHAP authentication was passed. The show dialer command can be used for ISDN 


connections. 


If show dialer displays the name of the remote router, PAP or CHAP authentication has 
passed. You can check the show dialer command output on both routers to verify that the name 
of the other router is displayed. If it is, then you know that PAP or CHAP authentication 
worked. The show dialer command output will also indicate if a line is a member of an MLP 


bundle. 


Use the show user command to view the progress of asynchronous dialup connections. 
Authentication has passed if a name is displayed with the line number in the show user output. 
Use the line number in a show line command for details about the asynchronous connection. 
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PPP Debugging 


This topic describes how to debug during the PPP negotiation process. 


debug ppp negotiation Command =xampic 


Pry 
sake Open 


CONTE ELdwtend 14 316 ken 99 
uthioote CHAP (hebORCIIIO| 
MegscRuabes lsd LOMO 'ixh 59011 IITBOA! 
MORe 1524 (el aOeISeay 


Becpointidac | Loca) | les MONO TSCETITIG ary 


= Cumerey (Ldeten) id 08 Ler 25 
MthP te CHAP (Deb OtC2d 5) 
HeELeRRE 2OTPEATTED [SMU NTEIE RAEI 


Sukh vke CHAP [Os*20DCEEIO3} 
Meg-ctaes lsd SOAMIED [lal 50C15 GAD BT) 
Qumerey Cases! be Li? den Le 
theme CHAP (henson? 2 wy] 
Megachuabes 1nd 10 OD (inf 59011 I9TBOA! 

© COMMACK QACKrces) if 117 Bem Lf 
AuthProte GUAP (Oe8I08C2T 205! 
Megicwumber Led LOMPE (x0 99d 12 0Ro8da} 

hate o6 oer 


Precensioy sismd Callas, 44 16 
0 maser 33 ib ie ee eee 
mob.1 “eee. t stereed if Si leet 
erik ePw) mune aa tr 
BOO. EPSP. O COME Clee) 4) di bw UE 
y a 


BPO k EPSP: X CCRTER Peet ' 

moet cece Bebivens TIM TY 

BEA k EPC: O CORR Pieewt! 19 8 tee 

eo-1 cere Rebiceny TUDE Pettaenarnenayy 

BEG k GER: C OOTTERD [FReevt! os ty ee 1 

aao-1 cP BORIS papper bits Beliaetetiny eet tae tetnet 


The debug ppp negotiation command is an excellent tool for troubleshooting the PPP LCP 
negotiation parameters, such as authentication, compression, and MLP. When the LCP is in an 
open state, the NCP negotiation takes place. For PPP to work, LCP options must be negotiated 
before any NCP activities take place. The debug ppp negotiation command allows you to 


observe the following: 


m Authentication (CHAP or PAP) 


= Compression Control Protocol (CCP) 


m= NCP protocols such as IPCP, IPXCP, and ATCP 


When debugging CHAP or PAP authentication specifically, the debug ppp authentication 
command can be used in place of the debug ppp negotiation command. The debug ppp 
authentication output is similar to the debug ppp negotiation output, but limited to CHAP 


and PAP authentication events. 


The CPU process assigns a high priority to the debugging output that can render the system 
unusable. For this reason, use debug commands with caution and only to troubleshoot specific 


problems. 
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Multilink Verification 


This topic identifies the command to verify MLP. 


MLP Verification 
a ee) 


Ox12/Ox1B seed, sent 


sequence Ux1ZE/UalZE rovd/sent |: 
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The show ppp multilink command displays bundle information on a rotary group in the packet 
multiplexing section, including the number of members in a bundle and the bundle to which a 
link belongs. 


The figure displays an example output when two active bundles are on a system. 
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MLP Troubleshooting 


Bundle 


¢ CHAP/PAP/caller ID on answering router? 
¢ Dialer load threshold on one router? 


Use the following problems and solutions to troubleshoot your MLP configuration: 


= Problem 1: MLP is open, but no data is passing through. 
Solution: Check dialer map statements and verify that routing is on. 


= Problem 2: The last link of a bundle dials but never connects. 
Solution: Check debug isdn q931, debug modem, or debug chat command output for 
asynchronous application operation. You can also use the debug ppp multilink events 
command for help. MLP might not be enabled. 


= Problem 3: Data throughput is low. 
Solution: Verify that fair queuing is not enabled. 


The debug ppp multilink command displays packet sequence numbers. The command is 
useful only as a last resort because it will not help troubleshoot why connections are not being 
bundled. 


The debug ppp negotiation command displays the Maximum Receive Reconstructed Unit 
(MRRU) option negotiation. 


The debug ppp authentication command is useful for displaying the steps in the PPP 
authentication process. 


The debug isdn events command also displays information useful for monitoring and 
troubleshooting MLP. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
——— ena LOO | 


° The show interface command is the best way to 
verify that PPP connection has been established. 


* The show dialer command is the easiest way to 
determine if PAP or CHAP authentication was 
passed. 


* The debug ppp negotiation command is an excellent 
tool for troubleshooting the PPP LCP activities. 


Next Steps 
For the associated lab exercise, refer to the following section of the course Lab Guide: 


m= Lab Exercise 3-1: Configuring and Verifying PPP Operations 
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Quiz 
Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 
Q1) ~~ Which command is the best way to verify that PPP connection has been established? 
A) show interface 
A) show dialer 
B) show stacker 
C) show predictor 
Q2) | Which command is the easiest way to determine if the PAP or CHAP authentication 
was passed? 
A) show dialer 
B) show interface 
C) show pap 
D) show authentication 
Q3) = Which command is an excellent tool for troubleshooting the PPP LCP activities, such 
as authentication compression and MLP? 
A) debug ppp negotiation 
B) debug ppp negotiation tcp 
C) debug remote negotiation 


D) debug the negotiation 


Copyright © 2004, Cisco Systems, Inc. Configuring PPP Features 3-81 


Quiz Answer Key 


Ql) A 

Relates to: PPP Verification 
Q2) A 

Relates to: show dialer Command Example 
Q3) A 


Relates to: PPP Debugging 
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Module 4| 


Accessing Broadband 


Overview 


This module reviews the use of broadband for remote access to a central site using Network 
Address Translation (NAT). The four types of broadband covered are digital subscriber line 
(DSL), cable technology, wireless, and satellite links. 


Objectives 


Upon completing this module, you will be able to: 


Outline 


Describe various broadband options 


Configure NAT so you can reuse a limited number of available registered IP addresses for 
your private network 


Describe RF concepts and the physical infrastructure of a cable link 
Distinguish key attributes for different types of DSL 

Perform a simulated install procedure 

Configure a Cisco 827 router for NAT with PPPoA 


Verify proper operation of DSL and NAT with available Cisco verification commands 


The module contains these lessons: 


Identifying Broadband Features 
Addressing Broadband with NAT 
Describing Cable Technology 

Defining DSL Technology 

Configuring the CPE as the PPPoE Client 
Configuring DSL with PPPoA 
Troubleshooting DSL 
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Identifying Broadband 
Features 


Overview 


This lesson describes the needs that drive development of broadband and the challenges to its 
widespread deployment. 


Relevance 


Broadband can allow remote office staff and small office, home office (SOHO) users to connect 
to the central office (CO) LAN at high speeds for remote access. 


Objectives 
Upon completing this lesson, you will be able to: 
m Describe broadband options as a viable choice for remote access to a central site 
m™ Describe cable options for remote access 
m™ Describe DSL options for remote access 
m= Describe satellite options for remote access 


m™ Describe wireless options for remote access 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Jnterconnecting Cisco Network Devices (ICND) course 


Outline 


4-4 


This lesson includes these topics: 
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Overview 
Broadband Uses 
Cable Options 
DSL Options 
Satellite Options 
Wireless Options 
Summary 


Quiz 
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Broadband Uses 


This topic describes broadband options as a viable choice for remote access to a central site. 


Why Broadband? 


* High-speed access 
* Rich voice and video services 
* Always on 


The Internet is moving from dialup modems and slow connections to a world of high-speed 
broadband using a variety of technologies. Broadband access can allow remote office staff and 
SOHO staff to connect to the CO LAN at high speeds (generally defined as any sustained speed 
above 128 kbps). Broadband access improves employee productivity and provides a foundation 
for rich new voice and video services. Unlike standard dialup connections, broadband is always 
on. 


Broadband options include DSL, fast downstream data connections from direct broadcast 
satellite (DBS), fixed wireless providers, and high-speed cable modems. 
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Cable Options 


4-6 


This topic describes cable options for remote access. 


Cable Options 


Coax serving area 


Headend 


° High speed asymmetric access 


* Constant connectivity without tying up telephone 
service 


° Cable bandwidth shared by users in coaxial 
serving area 


Currently, the most common remote access broadband service is a cable modem. Cable modem 
users connect to the Internet through a digital cable TV connection. One benefit of cable is its 
high speed. Cable modems also offer the benefit of constant connectivity. Because there is no 
need to dial in to the Internet, a user does not have to worry about receiving busy signals. 
Additionally, going online does not tie up a telephone line. Many cable operators offer 
telephone services over cable, such as Voice over IP (VoIP) over Cable and Voice over Cable. 


The primary disadvantage of cable is that the bandwidth is shared among all of the data users in 
a given area. Connection speed could drop during busy periods if the cable operator has not 
placed proper bandwidth quality of service (QoS) mechanisms in place. If there is not enough 
bandwidth available, then customers might not get the minimum committed information rate 
(CIR) that they have purchased. However, in practice, end users tend to experience a much 
higher data rate than the level they have purchased. 
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DSL Options 


This topic describes DSL options for remote access. 


DSL Options 


Copper Loop 


(Local Loop) 


Family of transmission technologies that move data over copper pairs 
Different types of xDSL (Asymmetric/Symmetric) 

All types of DSL are Layer 1 technologies 

ATU-R = ADSL Transmission Unit - Remote 

ATU-C = ADSL Transmission Unit - Central 


DSL is a group of technologies that use the unused bandwidth on a regular copper telephone 
line to deliver fast digital data transmission. DSL connections are as easy to obtain as dial 
access. Like leased lines, DSL connections can be always on if the DSL modem of the 
customer connects to a CO DSL termination. Occasionally, the DSL modem may need to place 
a telephone call if the provider has oversubscribed the service. 


There are two disadvantages to DSL: 
1. DSL has a maximum distance requirement from the PSTN CO of 18,000 feet. 


2. Notall PSTN central offices have been built-out to support DSL. As a result, you may live 
in a neighborhood that is not serviced by a DSL-capable CO while a neighborhood down 
the street may have access to DSL service. 


Copyright © 2004, Cisco Systems, Inc. Accessing Broadband 4-7 


Satellite Options 
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This topic describes satellite options for remote access. 


Satellite Options 


¢ First came the original (bigger) C-band backyard satellite dish 
in the 1980s 


¢ Followed by direct broadcast satellite (DBS) in the 1990s 
¢ DBS uses smaller-size dishes to receive the satellite signals 
° The satellite orbits the earth 22,300 miles above the equator 
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The main issue that satellite access resolves is getting high-bandwidth remote access to places 
without a high-bandwidth infrastructure. The only way to receive broadband communications 
in many rural or low-population areas is via a two-way satellite. 


Satellite services deliver downstream data in bursts up to 400 kbps, with upstream speeds as 
much as 125 kbps. A computer connected to the satellite network does not require time- 
consuming dialup protocols to log in. However, because of the asymmetric nature of satellite 
communication, certain applications such as VoIP do not perform very well over satellite. Also, 
heavy activity on the network can affect satellite speeds. 


The typical satellite system requires a small, 1.2-meter or less satellite dish, two standard 
coaxial cables to connect the satellite dish to a satellite modem, and a satellite modem that 
connects to a PC through an Ethernet or Universal Serial Bus (USB) port. The latest satellite 
systems allow subscribers to send and receive information using a satellite dish and still receive 
television programming. 


Satellite networks include geostationary orbit (GSO) satellites and nongeostationary orbit 
(NGSO) satellites. The latter includes low-earth orbit (LEO) satellites. Latency is higher for 
GSO satellites than for LEO satellites because the GSO is much higher. Most broadband 
satellite options use a satellite in orbit approximately 22,300 miles above the equator. 
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Wireless Options 


This topic describes wireless options for remote access. 


Wireless Options 


Wireless technology provides line-of-sight bridging at 2-Mbps throughput at distances of up to 
25 miles (40.2 km) in U.S. Federal Communications Commission (FCC)-regulated countries or 
6.5 miles (10.5 km) in Europe. This technology can provide up to 11-Mbps connectivity from 
one site to another or from the main site to many remote sites. You need only a bridge and an 
antenna for each site, which can connect to either a wired or wireless network within those 
sites. Wireless technology also enables multiple buildings to share a single high-speed 
connection to the Internet without cabling or dedicated lines. However, you must have line of 
sight. 


Fixed-wireless systems have a long history. Point-to-point microwave connections have long 
been used for voice and data communications. As technology has continued to advance, higher 
frequencies have been employed. Thus, smaller antennas can be used, resulting in lower costs 
and easier-to-deploy systems for private use. The reduction in cost has resulted in a whole 
generation of carriers that are planning to use wireless access as their last mile of 
communication. 
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Wireless Options (Cont.) 


* Various unlicensed frequency bands - Spread spectrum 


* Mobile—low data rate » Residential, SOHO, and sm 


+ Fixed—high data rate business 


+ Multi-sectored node sites 
* Upto 6 miles in multipoint, 
point-to-point 


© 
: 200 MHz hd 
os 


U-NI 


all/medium 


15 miles in 


. 100 MHz 


900 MHz 26 MHz Channel 


24GMz 63.5 MHz Channel 


802.11x WLAN 


UNI 


5.15-5.35 GHz 200 MHz Channel 
Next Gereration WLAN 
6.7 GHz 100 MHz Channel 
Broadband Wireless 
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The fixed wireless broadband market consists of four segments: Local Multipoint Distribution 
Service (LMDS), Multichannel Multipoint Distribution Service (MMDS), license-free fixed 


wireless services in the Industrial, Scientific, and Medical (ISM) 
National Information Infrastructure (U-NII) bands. 


bands, and the Unlicensed 


LMDBS, with a 3-mile range and slightly higher throughput than T3 fiber lines, is best suited to 
large and medium-size enterprises in urban areas. MMDS, with about a 35-mile range and 
throughput comparable to DSL and cable, is targeted at small businesses and residential 
customers, particularly those in multitenant dwellings. License-free services, with a 3-to-25- 
mile range and throughput from 128 kbps to 53 Mbps, vary according to the type of equipment 


used and number of subscribers. 
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Summary 


This topic summarizes the key points described in this lesson. 


Summary 
Eas 


e Acable modem can provide up to 90 times the 
speed of a dial-up connection. 


¢ DSL uses the unused bandwidth on a telephone 
line to deliver fast digital data transmission. 


* Satellite delivers downstream data in bursts up to 
400 kbps, with upstream speeds of up to 125 kbps. 


* Wireless provides bridging at 2 Mbps throughput 
at distances of up to 25 miles. 
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Quiz 


Use the practice items here to review what you have learned in this lesson. The correct answers 
follow in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


Broadband is generally defined as any sustained speed above 
A) 28,800 bps 

B) 56,000 bps 

C) 96,000 bps 

D) 128,000 bps 


A cable modem could provide up to times the transmission speed (9 Mbps) for 
remote access in the upstream compared to other technologies. 


A) 40 
B) 70 
C) 150 
D) ~—:128 


Like leased lines, DSL connections are 


A) inexpensive 
B) always on 
C) easy to install 


D) all of the above 

Most broadband satellite options use a satellite in orbit approximately __—_sabove the 
equator. 

A) 22,300 miles 

B) 23,300 miles 

C) 32,300 miles 

D) 28,300 miles 


Wireless technology provides line-of-sight bridging at___—_— throughput at distances of 
up to 25 miles, but you must have line of sight. 

A) 1-Mbps 

B) 2-Mbps 

C) 3-Mbps 

D) 4-Mbps 
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Q6) ~LMDS has a slightly higher throughput than fiber lines. 


A) Tl 
B) T3 
C) ISDN 
D) cable 
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Quiz Answer Key 
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Ql) 


Q3) 


Q4) 


Q5) 


Q6) 
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D 


Relates to: 


Cc 


Relates to: 


B 


Relates to: 


A 


Relates to: 


B 


Relates to: 


B 


Relates to: 


Broadband Uses 


Cable Options 


DSL Options 


Satellite Options 


Wireless Options 


Wireless Options 


Copyright # 2004, Cisco Systems, Inc. 


Addressing Broadband with 
NAT 


Overview 


This lesson provides an overview of NAT for remote access networks and describes why NAT 
should be implemented in a broadband environment. 


Relevance 
The two most compelling problems facing the Internet include IP address depletion and scaling 
in routing. There are many solutions being developed to solve these problems, but as they are 
being more fully adopted, a short-term solution is provided by NAT. 
Objectives 
Upon completing this lesson, you will be able to: 
m™ Describe the process of NAT and explain why you enable it 
m Explain the Cisco use of NAT terminology 
m= Describe the process of translating inside source addresses 
m Describe the process of overloading inside global addresses 
= Configure NAT to provide dynamic translation 
™ Configure NAT to provide global address overloading 
m Verify correct operation of NAT using the show commands 
m Identify specific operations in NAT using the debug commands 


m™ Remove specific or all NAT entries using the clear commands 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m= All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Jnterconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 


Overview 

NAT Overview 

NAT Concepts and Terminology 

NAT Operation 

Inside Source Address Translation 
Inside Global Address Overload 
Dynamic NAT Configuration 

Inside Global Address Overload Configuration 
NAT Verification and Troubleshooting 
NAT Troubleshooting 

NAT Entry Clearing 

Summary 


Quiz 
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NAT Overview 


This topic describes why NAT is used. 


NAT Overview 


Broadband Internet 


Local 
Address Address 


Conserves public Internet addresses 
Increases network privacy by hiding internal IP addresses 
Allows an unregistered address to connect to the Internet 


Allows translations of many inside addresses to one outside 
address 
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IP address depletion is a key problem facing the public network. To maximize the use of 
registered IP addresses, Cisco IOS software implements NAT. This feature, which is the Cisco 
implementation of RFC 1631, provides a way to use the same IP addresses in multiple internal 
subnetworks, thereby reducing the need for registered IP addresses. 


NAT allows privately addressed networks to connect to public networks such as the Internet. 
The privately addressed “inside” network sends a packet through the NAT router, and the 
addresses are converted to legal, registered IP addresses, enabling the packets to be passed to 
the public network. 


NAT can be used when an internal address scheme must be altered due to a change in service 
providers. It can also be used when merging two intranets, such as when two companies merge. 
NAT can change addresses incrementally, without changes to hosts or routers other than those 
bordering stub domains, thereby eliminating duplicate address ranges without readdressing host 
computers. 


The translation performed using NAT can be either static or dynamic: 


m™ Static translation occurs when addresses in a lookup table are manually configured. A 
specific inside address maps into a prespecified outside address. The inside and outside 
addresses are statically mapped one-for-one. 


m Dynamic mapping occurs when the NAT border router is configured to understand which 
inside addresses must be translated and which pool of addresses may be used for the 
outside addresses. There can be multiple pools of outside addresses. 


Multiple internal hosts can also share a single outside IP address, which conserves address 
space. Address sharing is accomplished by port multiplexing, or changing the source port on 
the outbound packet so that replies can be directed back to the appropriate host. This option is 
commonly referred to as Port Address Translation (PAT), or overloading. 
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NAT Concepts and Terminology 


This topic describes NAT concepts and terminology. 


NAT Concepts 


Viewpoint 
of Host 


“internat” 


or J 
“Private” ¢ 
Side 


Viewpoint 
of Address 
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As discussed, NAT technology enables private IP networks that use nonregistered IP addresses 
to connect to the public network such as the Internet. NAT is usually configured on border 
routers between a stub domain (inside network) and a public network (outside network). To 
properly understand the concepts and configuration of NAT, you must understand the terms 
that Cisco uses to describe NAT components. 


Using the NAT device as the reference point, all IP addresses can be classified as either inside 
or outside and as either local or global: 


= Inside or Outside: Specifies the physical location of an IP host in relation to the NAT 
device 


= Local or Global: Specifies the location of the user, or the user point of view, in relation to 
the NAT device 


For example, an inside global address is the address of an IP host located on the inside network 
from the perspective of a user located on the global network; it is the address that a global user 
would use to communicate with a host on the inside network. 


Inside and local reference the same side of a NAT device; this side is commonly referred to as 
the internal or private network. Outside and global also reference the same side of a NAT 
device; this other side is commonly referred to as the external or public network. The key 
difference is that inside/outside refers to host location whereas local/global refers to the user 
perspective. 


Note The designations of inside/outside and local/global are relative to where NAT occurs. The 
NAT process can occur anywhere and at multiple points between two hosts. 


4-18 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright #: 2004, Cisco Systems, Inc. 


NAT Terminology 


<b 
W202 


. By 


Te 
— 192,168.22 
= Internet 


@® NAT table 
Inside Local | Inside Global 
@ 
192.168.2.3 |, 
P woraz 192,168.2.2 ; 
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NAT translates the internal local addresses into globally unique IP addresses before sending 
packets to the outside network. NAT takes advantage of the fact that relatively few hosts in a 
stub domain communicate outside of the domain at any given time. Therefore, only a subset of 
the IP addresses in a stub domain must be translated into globally unique IP addresses for 
outside communication. The table details various terms that are used to define NAT functions. 


NAT terminology 


Term 
Inside local IP 
address (A, in figure) 


Inside global IP 
address (B, in figure) 


Outside global IP 
address (C, in figure) 


Outside local IP 
address 

Simple translation (D, 
in figure) 


Extended translation 


Note 


Definition 


The IP address assigned to a host on the inside network. The address can be 
globally unique but obsolete, allocated from RFC 1918 (Address Allocation for 
Private Internet Space), or randomly picked. 


A legitimate IP address (assigned by the NIC or service provider) that 
represents one or more inside local IP addresses to the outside world. The 
address is allocated from a globally unique address space, typically provided by 
the ISP. 


The IP address that was assigned to a host on the outside network by its 
owner. The address is allocated from a globally routable address space. 


The IP address of an outside host as it appears to the inside network. The 
address can be allocated from address space routable on the inside, for 
example, from RFC 1918. 


A translation entry that maps one IP address to another. 


A translation entry that maps one IP address and port pair to another address 
and port pair. 


The NAT examples in this course use an alternative private address range to represent legal 


registered IP addresses. This is a policy decision to avoid the unauthorized use of public 


addresses. 
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NAT Operation 


This topic identifies the various NAT functions. 


NAT Operation 


Internet 


NAT functions 


¢ Translate inside source 


—— addresses 


Inside Local Inside Global 
IP Address IP Address ¢ Overload inside global 


10.1.1.1 192.168.22 |, addresses 
10.1.1.2 192,168.23 J. 
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NAT can be used to perform these functions to support a broadband subscriber: 


= Translating inside source addresses: Establishes a mapping between inside local and 
inside global addresses. 


= Overloading inside global addresses: You can conserve addresses in the inside global 
address pool by allowing source ports in TCP connections or UDP conversations to be 
translated. When different inside local addresses map to the same inside global address, the 
TCP or UDP port numbers of each inside host are used to distinguish between the hosts. 


4-20 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright «: 2004, Cisco Systems, Inc. 


Inside Source Address Translation 


This topic describes the process of translating inside source addresses. 


Translating Inside Source Addresses 


Inside 


172.2073 


Internet 


© NAT table 


inside Local Inside Global 
IP Address © Address 
10.1.1.3 192.168,2.4 
10.1.1.2 192.168.2.3 


10.1.1.1 192.168.2.2 
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The figure illustrates NAT operation when it is used to translate source addresses from inside a 
network to destinations outside the network. These steps include: 


Step 1 
Step 2 


Note 


Step 3 


Step 4 


Step 5 


User at host 10.1.1.1 opens a connection to outside Host B. 


The first packet that the border router receives from host 10.1.1.1 causes the router 
to check its NAT table, because the packet is going from an inside interface to an 
outside interface. 


If a translation is found because it has been statically configured, the router continues to 
Step 3. If no translation is found and dynamic translation is configured, the router determines 
that address 10.1.1.1 must be translated to an address available from an address pool. The 
router dynamically allocates a new address and sets up a translation of the inside local 
address 10.1.1.1 to a legal inside global address from the dynamic address pool. This type 
of translation entry is referred to as a simple entry. 


The border router replaces the inside local IP address of 10.1.1.1 with the selected 
inside global address, 192.168.2.2, and forwards the packet. 


Host B receives the packet and responds to that node using the inside global IP 
address 192.168.2.2. 


When the border router receives the packet with the inside global IP address, the 
router performs a NAT table lookup using the inside global address as the reference. 
The router then translates the address back to 10.1.1.1, the inside local address, and 
forwards the packet to 10.1.1.1. Host 10.1.1.1 receives the packet and continues the 
conversation. 


For each packet, the router performs Steps 2 through 5. 
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Note With static translations, you can initiate connections from either inside or outside. This is 
because the translation will always be in the translation table. With dynamic translations, 
however, connections must be initiated inside-to-outside or outside-to-inside, depending on 
your configuration. 


When configuring inside-to-outside dynamic NAT using the ip nat inside source list 
command, connections must be initiated from inside. Likewise, when using ip nat outside 
source list for outside-to-inside dynamic translations, connections must be initiated from the 
outside. 
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Inside Global Address Overload 


This topic describes the process of overloading inside global addresses, also known as PAT. 


Inside Global Address Overload 


a 
ro Ss 


HostB 
172.2073 


Internet 


oO 
Host C 
172217,3 


7 @3 NAT table 
= 
10.7.7.1 Address: Port Address: Port IP Address: Port 
TCP | 10.1.1.3:1723 | 192.168.2.2:1492) 172.21.7.3:23 
TGP | 10.4.1.2:1723 | 192.168.2.2:1723) 172.21.7.3:23 
TOP | 10.1.1.1:1024 | 192.168.2.2:1024| 172.20.7.3:23 | 
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The figure illustrates NAT operation when a single inside global address is used to represent 
multiple inside local addresses simultaneously. In this example, an extended translation entry 
table is used, in which the combination of address and port makes each global IP address 
unique. The use of ports to make an address unique is called PAT, a subset of NAT. This 
operation consists of these steps: 


Step 1 


Step 2 


Note 


Step 3 


Step 4 


Step 5 


The first packet the router receives from 10.1.1.1 causes the router to check its NAT 
table because the packet is going from inside to outside. 


User at host 10.1.1.1 opens a connection to Host B. 


If no translation is found, the router determines whether address 10.1.1.1 should be 
translated based on the configuration. The router allocates a new address and sets up a 
translation of the inside local address 10.1.1.1 to a legal global address if configured to do 
so. If overloading is enabled and another translation is active, the router will reuse the global 
address from that translation and save the unique port information to be able to distinguish it 
from the other translation entry. This type of entry is called an extended entry. 


The router replaces the inside local IP address of 10.1.1.1 with the selected inside 
global address, 192.168.2.2, and forwards the packet. 

Outside Host B receives the packet and responds to that node using the inside global 
IP address 192.168.2.2 and TCP port 1024. 

When the router receives the packet with the inside global IP address, the router 
performs a NAT table lookup using the inside global address and port number, and 
the outside address and port number as the references. The router then translates the 
address back to the inside local address of 10.1.1.1 and forwards the packet to 
10.1.1.1. Host 10.1.1.1 receives the packet and continues the conversation. 


For each packet, the router performs Steps 2 through 5. 
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Dynamic NAT Configuration 


This topic describes a sample configuration of dynamic NAT 


Dynamic NAT Configuration 


ip nat pool dyn<nat 192.1668.2.1 192.168.2.254 
netmask 255.255.255.0 


ip nat inside source list 1 pool dyn-nat 

' 

interface Ethernet0 

ip address 10.1.1.10 255.255.255.0 This interface 


ip mat inside «4... connected to the 
' inside network 


interface Seriald 
ip address 172.16.2.1 255.255.255.0 this intoriaco 


ip nat outside <_—————_ conmected lo the 
' outsicle world. 


access-list 1 permit 10.1.1.0 0.0.0.255 
' 


Map inside hosts on the 10.1.1.0/24 network toa pool of globally 
unique addresses in the 192.163.2.0/24 network, 
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To enable dynamic inside source IP address translation, perform these steps: 
Step 1 Configure IP routing and appropriate IP addresses on the router. 


Step 2 Define a standard IP access list for the inside network using the access-list access- 
list--number {permit | deny} source source-wildcard command. 


Note NAT does not always have to occur with directly connected networks. The access list can 
match any inside local addresses or networks that are present on the inside internetwork. 


Step 3 Define an IP NAT pool of global addresses using the ip nat pool pool-name start-ip 
end-ip {netmask netmask | prefix-length prefix-length} [type rotary] command. 


ip nat pool pool-name start-ip end-ip {netmask netmask | 
prefix-length prefix-length} [type rotary] Command 
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Command Description 


pool-name Name of the pool. 

start-ip Starting IP address that defines the range of addresses in the global 
address pool. 

end-ip Ending IP address that defines the range of addresses in the global address 
pool. 


netmask netmask | Network mask that indicates which address bits belong to the network and 
subnetwork fields, and which bits belong to the host field. Specify the 
netmask of the network to which the address pool belongs. 


prefix-length Number that indicates how many bits of the netmask are 1s. Specify the 


prefix-length netmask of the network to which the pool addresses belong. 
type rotary (Optional) Indicates that the range of addresses in the address pool 


identifies real, inside hosts among which TCP load distribution will occur. 


Step 4 Map the access list to the IP NAT pool using the ip nat inside source list access- 
list-number pool pool-name command. 


Step 5 Enable NAT on at least one inside and one outside interface with the ip nat {inside | 
outside} command. Only packets traveling between inside and outside interfaces 
can be translated. For example, if a packet is received on an inside interface but is 
not destined for an outside interface, it will not be translated. 


Note The steps for enabling dynamic outside source IP address translation are similar to those 
listed above, except that the ip nat outside source list access-list-number pool pool-name 
command is used instead. This command maps the access list for outside global addresses 
to the IP NAT pool of available outside local addresses. 


Copyright © 2004, Cisco Systems, Inc. Accessing Broadband 4-25 


Inside Global Address Overload Configuration 
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This topic describes how to configure global address overloading. 


Inside Global Address Overload 
Configuration 


ap mat pool ovrid-nat 192.168.2.1 192.168.2.2 
netmask 255.255.255.0 


ip nat inside source list 1 pool ovrld-nat overload 
! 

interface Ethernet0/0 

ap address 10.1.1.10 255.255.255.0 

ap nat inside 

! 

interface Serial0/0 

ip address 172.16.2.1 255.255.255.0 

ip nat cutside 

! 


access-list 1 permit 10.1.1.0 0.0.0.255 


Translate all inside hosts on network 10.1.1.0/24 to address 
192.168.2.1 or 192.168.2.2 
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To configure inside global address overloading, perform these steps: 
Step 1 Configure IP routing and appropriate IP addresses on the router. 
Step 2 Configure dynamic address translation for inside source addresses. 


Step 3 When you define the mapping between the access list and the IP NAT pool using the 
ip nat inside source list access-list-number pool pool-name command, add the 
overload keyword to the command. 


Step 4 Enable NAT on the appropriate interfaces using the ip nat {inside | outside} 
command. 


Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright #: 2004, Cisco Systems, Inc. 


NAT Verification and Troubleshooting 


This topic describes the commands that are used to verify and troubleshoot NAT. 


Verifying NAT Translations 
eee GCIBCCLCOM 


Basic IP address translation 

reuterfshow ip nat trans 

Pro Inside global Inside local Ontsice iscal Outside clotel 
-- 1$2.2.2.1 10.1.1.1 

— 1$2.2.2.2 10,1.1.2 


IP address translation with overloading 
router#sbh ip nat trans 
Pro Inside global 
ten L192 .268.2.2:110€03 
ten 192 .168.2.15 21067 


Inside lscal 
19.1.1.1:11003 
19.1.1.1:1067 


Qutside lecal 
172 .16.2.2:23 
172.16.3.3:23 


atside global 
172.18.9.2:29 
192.18.2.3:29 


Unique TCP port numbers are used to distinguish 


between hosts. 


A translation for a Telnet connection Is still active. 
Two different inside hosts appear on the outside with a single IP address. 


The commands in the table here can be used to verify NAT operation. 


Commands to Verify NAT Operation 


Command 


show ip nat translations [verbose] 


Description 


Shows active translations 


show ip nat statistics 


Shows translation statistics 
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Verifying NAT Statistics 
ee se a aoe 


scutes! vhow ip neat wteatisutace 

Tetal translations: 2 {0 statac, = dynamic: O extended) Cutvide interfaces: 
Seriald 

inside interfaces: 

Ethernet) 

Fita: 135 Miagea: § 


Expired translaticnrs: 2 
Dynamic mappings: 
—Tneide Source access-list 1 pool dyn-nat refoount 7? 


pool dyn=-nat: metmack 255.255.255.0 
elact 192.153.2.1 ead 192,159.2.250 
type generic, total addresses 250, allocated 2 {1%), 
miaaes © 


Number and type of active translations 
NAT-anabled interfaces 
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The show ip nat statistics command displays the number and type of active translations in the 
system. This number is incremented each time a translation is created and is decremented each 
time a translation is cleared or times out. The number of expired translations is also provided. 
Other information displayed by this command includes: 


m= Interfaces that are NAT-enabled using the ip nat {inside | outside} command. 


m Hits and misses: Number of times a translation table lookup is performed and an entry is 
either found (hit) or an entry is not found and a new entry must be created (miss). 


m= Dynamic translation configuration and statistics. These are described in the table here. 


Output Field Description 

Inside Source The information that follows is about an inside source translation. 
access-list Access list number being used for the translation. 

pool Name of the pool (in this case, dyn-nat). 

refcount Number of translations using this pool. 

netmask IP network mask being used in the pool. 

start / end Starting / ending IP address in the pool range. 

type Type of pool. Possible types are generic or rotary. 
total Number of addresses in the pool available for translation. 
addresses 

allocated Number of addresses being used. 

misses Number of failed allocations from the pool. 
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NAT Troubleshooting 


This topic describes how to troubleshoot NAT. 


NAT Troubleshooting 
a Sane LN ee | 


reuter#Gebug ip nat 
I® MAT debugging i959 on 


> g=10.1.1.1-5192.168.2.1, d=172.16.2.2 [0] 
> 8=172.16.2.2, d=192.168.2.1=->10.1.1.1 [0] 
> 8=10.1.1.19>192.168.2.1, d=172.16.2.2 [1] 
> g=10.1.1.12>192.168.2.1, d=172.16.2.2 [2] 
¢ @7l10.1.1.19>192.168.2.1, d=-172.16.2.2 [3] 
> 071972.16.2.2, &=192.166.2.1->16.1.1.1 (1) 
T= meit2.16.2,.2, an192.168%,2,1-220.1.1.1 (1) 
mi .1.2.1->192,168.2.2, cde272,16.2.2 14) 

> S=20.L.2.L-7192.159.2.2, B=272.26.2.2 [5] 
> s=10.1.1.1->192,160.2.1, d=172,16.2.2 [6] 
fe: g=172.16.2,.2, d=192.163,2,1-310,1,1,1 [2] 


An example address translation inside-to-outside 
& reply to the packet sent 
An example TCP conversation, outside-to-inside 


" Indicates translation was in the fast path 
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If you must use a trace on a NAT operation, use the debug ip nat [/ist | detailed] command in 
this table. 


debug ip nat [list | detailed] Command 


Command Description 


debug ip nat [list | detailed] Displays a line of output for each packet that gets translated 


As shown in the figure, the debug output includes these key points: 


m The asterisk next to NAT indicates that the translation is occurring in the fast path. The first 
packet in a conversation will always go through the slow path (being process-switched). 
The remaining packets will go through the fast path if a cache entry exists. 


m s=10.1.1.1 is the source address and is being translated to 192.168.2.1. 
m d=172.16.2.2 is the destination address. 


m The value in brackets is the IP identification number. This information may be useful for 
debugging because, for example, it can enable you to correlate with other packet traces 
from sniffers. 
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NAT Troubleshooting (Cont.) 


cceterdé¢debug ap mat deta:led 
TF NAT detailed debugging ic on 
router# 
06:20:06: MAT: i: top (10.1.1.1, 1045) <> (172.16.2.2, 23) [432] 
=: NAT: 6-10.1.1.1<>192.168.2.1, d=172.16.2.2 [432] 
06:20:06: MAT: Oo: tep (172.16.2.2, 23) -> (192.168.2.1, 1045) [0) 
: NAT: 8@172.16.2.2, dm192.166.2.1->10.1.1.1 [0] 
: NAT*®: 4: top ¢10.1.1.1, 1045) -> (172.16.2.2, 23) [688] 
>: WAT*®: 2729.12.12 ,2-> 192 .168.2,.1, @r172.16.2,.2 [50608] 
7 WAT*: ©: Sep 1272.16.2.2, 23) -> (192.260.2.1, 10451 [2) 
: WAT*: g=£#172.16.2.2, d= 132.166.2.1 -310.1.1.1 [1] 
: NAT#: d: tep (10.1.1.1, 10945) -> (172.16,2.2, 23) [6a] 
> MAT®: 6=10.1.1.1=<> 192.168.2.1, d=-172.16.2.2 [944] 
9; WAT*®: ©: top (172.16.2.2, 23) -> {(LP2.168.2,1, 10451 (2) 


Inside interface, protocol TCP, source port 1045, destination port 23 
Outside interface, protocol TCP, source port 23, destination port 1045 
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The debug ip nat [detailed] command generates a description of each packet that is being 
considered for translation. This command also outputs information about certain errors or 
exceptional conditions, such as the failure to allocate a global address. In addition to the 
information provided by the basic debug ip nat command, the detailed option reports the 
protocol and the source and destination port numbers for inbound and outbound translations. 


As shown in the figure, the debug output includes these key points: 
m “j:” indicates a packet arriving on the inside interface requiring address translation. 
m “o:” indicates a packet arriving on the outside interface requiring address translation. 


m™ “tcp” refers to the protocol of the packet. 


The value following the IP address represents the port number. 
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NAT Entry Clearing 


This topic describes how to clear NAT entries. 


Clearing NAT Entries 
Se | 


rertereszh ip nat trane 
Pre Treatds glohal 
top 192.166 .2.1:11005 


tep 192.166 .2.1:1067 
router#elea> ip nat trans 
router¥show ip nat trans 


All entries are cleared. 
routertsen tp nat trans 
Fro Inside gichal 

udp 192 ..168.2.2;1220 
tep 192 .168.2.1:11003 
tcp 192 ..160.2,.1;1067 


Cates 
72 .16.2,2: 


172 .16.2.3:23 


Tnatder loosl 


10 .1.1.1:11003 


10 .1.1.1:1067 
* 


Catatde gions! 
172,16,2.2:23 
2 


172.16,2.3:23 


Inside lacal Omtaide losal 
20.2 .2.252120 271.69.2.232559 
10.1.1.13313903 2 2 
20.12.2.252067 272.16.2,4523 


frataida global 
271.69.2.192553 
172.16.2.2:23 
272.2662 3:23 


rcoutertcliem> ap mat trans ucip imxade LU2.168.2.2 10.2.1.2 1220 
172 .69.2.132 S3 172.89.2.132 53 


couverheh ap nat trans 


Fro 
tcp 
tcp 


inside global 
192 .168.2,.1:11003 
192 168.2 ,.1:10€9 


192.168.2.2 is cleared. 


s, Inc. All rights reserved. 


Outside Local 
L9D 16.2,2+23 
LT? 16.2 ,3:23 


inside local 
10.1.1.1:11003 
10.1.1.1:1067 


Votsade clobal 
173.16,2.2+29 
172 .16,.2,3:33 
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If you must clear a dynamic translation entry, use the commands in the table here. 


Commands for Clearing NAT Entries 


Command 
clear ip nat translation * 


clear ip nat translation inside 
global-ip local-ip [outside local-ip 
global-ip] 


clear ip nat translation outside 
local-ip global-ip 


clear ip nat translation protocol 
{inside global-ip global-port local-ip 
local-port | outside /ocal-ip local- 
port global-ip global-port} 
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Description 

Clears all translation entries 

Clears a simple translation entry containing an inside 
translation, or both an inside and outside translation 
Clears a simple translation entry containing an outside 
translation 


Clears an extended entry (in its various forms) 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
Fe 


NAT technology enables private IP networks that use 
nonregistered IP addresses to connect to a public 
network. 


NAT can be used for translating inside source addresses. 


NAT can be used for overloading inside global 
addresses. 


Configure Dynamic NAT configuration and enable 
overloading of global addresses. 


Use show commands to verify correct operation of NAT. 
Use debug commands to identify specific operations 
in NAT. 


Use clear commands to remove specific or all NAT 
entries. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


How does NAT help solve the limited IP address problem? 

A) NAT allows the use of restricted IP addresses on the public Internet. 

B) NAT translates 32-bit IP addresses to 48-bit IP addresses. 

C) NAT has you renumber all your existing addresses to restricted IP addresses. 
D) NAT translates inside private addresses to legal outside addresses. 


Which is a legitimate public IP address that represents one or more inside local IP 
addresses to the outside world? 

A) inside local IP address 

B) inside global IP address 

C) outside global IP address 

D) outside local IP address 

What is the process of using unique TCP and UDP port numbers to distinguish 
translations for traffic sourced from the same IP address? 

A) overloading inside global addresses 

B) translating inside source addresses 

C) handling overlapping networks 

D) translating inside global addresses 


When translating inside source addresses, the inside local IP address is translated to the 


A) inside IP address of the NAT router 

B) _ outside global IP address of the source host device 

C) inside global IP address of the source host device 

D) _ outside global IP address of the destination host device 


Here is the output of a show ip nat translations command: 


Pro | Inside Global Inside Local Outside Local Outside Global 


tep | 192.168.2.1:11003 | 10.1.1.1:11003 | 172.16.2.2:23 | 172.16.2.2:23 


tep | 192.168.2.1:1067 10.1.1.2:1067 172.16.2.3:23 | 172.16.2.3:23 


Which type of NAT function do these lines indicate is occurring? 


A) dynamic translation of outside local addresses 

B) static translation of inside local addresses 

C) overloading inside global addresses 

D) this is an error display; no NAT function is occurring 
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Q6) When translating inside source IP addresses, you use the ip nat pool command to 
provide a pool of 
A) _ static inside global IP addresses 
B) _ static outside local IP addresses 
C) dynamic inside local IP addresses 
D) dynamic inside global IP addresses 


Q7) — Which best describes the overloading of inside global addresses using NAT? 
A) _ translating multiple inside addresses to a single global IP address 
B) _ translating multiple inside addresses to multiple outside IP addresses 
C) combining two networks that have the same IP addresses 
D) _ translating a single inside address to multiple outside IP addresses 


Q8) | Which command can you use to verify NAT is operating? 
A) show ip nat status 
B) show ip nat pool 
C) show ip nat translations 
D) show ip route 
Q9) What does the detailed option for the debug ip nat command display? 
A) packet switched from cache entry 
B) inside-to-outside NAT IP address and port translations 
C) inside-to-outside NAT IP address translations 
D) NAT translations timers 


Q10) Which command clears an extended IP NAT translation? 


A) clear ip nat translation 

B) clear ip nat translation inside 

C) clear ip nat translation outside 

D) clear ip nat translation protocol inside 
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Quiz Answer Key 


Ql) 


Q2) 


Q3) 


Q4) 


Q5) 


Q6) 


Q7) 


Q8) 


D 


Relates to: 


B 


Relates to: 


A 


Relates to: 


Cc 


Relates to: 


Cc 


Relates to: 


D 


Relates to: 


A 


Relates to: 


Cc 


Relates to: 


Relates to: 


Relates to: 
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NAT Overview 


NAT Concepts and Terminology 


NAT Operation 


Inside Source Address Translation 


Inside Global Address Overload 


Dynamic NAT Configuration 


Inside Global Address Overload Configuration 


NAT Verification and Troubleshooting 


NAT Troubleshooting 


NAT Entry Clearing 


Accessing Broadband 
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Describing Cable Technology 


Overview 


This lesson covers cable technology concepts and the physical infrastructure of a cable link. 


Relevance 


Cable technology can provide a reliable high-speed alternative for remote access to a central 
site. 


Objectives 


Upon completing this lesson, you will be able to: 


Describe a traditional hybrid fiber-coaxial architecture 
Describe how data services can be delivered over a cable network 
Describe how data signals are transmitted over RF channels 


Describe current trends in digital cable systems 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 


course 


m= All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 


Overview 

Cable Features 

Data over Cable 

Cable System Functionality 

Cable System Components 

Hybrid Fiber-Coaxial Architecture 

Digital Signals over RF Channels 

Cable Technology Terms 

Cable Technology: Putting It All Together 
Process for Provisioning a Cable Modem 
Configuration of a Router with a Cable Modem 


Summary 


Quiz 
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Cable Features 


This topic describes the features of cable technology. 


What Is Cable? 


Distribution Cable 
Trunk Cable 


Cable refers to use of coaxial cable for signal transmission. 
CATV: originally meant “community antenna television.” 
Cost-effective “broadcast” architecture cascaded to users. 
Can offer voice and data as well as analog and digital video. 


CATV, commonly called cable TV, was invented to solve the problem of poor TV reception. 
To ensure that consumers could obtain cable service with the same TV sets that they use to 
receive over-the-air broadcast TV signals, cable operators recreate a portion of the over-the-air 
radio frequency (RF) spectrum within a sealed coaxial cable line. 


Since the introduction of high-speed data and telephony and other such services, it has become 
more common for the larger cable operators to have telephone switches and the cable modem 
termination system (CMTS). These cable operators also maintain other equipment in the same 
facility, taking care of both telephony and data services, in addition to analog and digital video 
services. 


Small and medium-size businesses can gain the following benefits from high-speed cable 
Internet access: 

m Virtual Private Network (VPN) connectivity to corporate intranets 

m SOHO capabilities for work-at-home employees 

m Interactive television 

m PSTN-quality voice and fax calls over the managed IP networks 

Businesses large and small have employees who work from their homes. To stay in touch, 


employees need secure high-speed remote access to the corporate intranet and access to the 
Internet for e-mail communication with customers and suppliers. 
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Data over Cable 


This topic describes how data services can be delivered over a cable network using fiber cable 
technology. 


Why Fiber? 


* Small size 
° Lightweight 
* Easy to handle 


¢ Immune to external 
interference 
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Fiber is used to replace cable amplifiers throughout the cable plant. Amplifiers are placed 
approximately every 2000 feet to ensure that all RF signals will be delivered to the home of the 
user with enough power and clarity to receive all channels within the spectrum (50 to 860 
MHz) for analog TV, digital TV, and digital data cable modem services. 


In a 20-mile plant, approximately 52 amplifiers would be used to reach the last house 20 miles 
away. Fiber allows the cable operator to run longer distances, with less noise, and to remove 
amplifiers from the link. 


The downstream traffic emanates from the headend and is injected into a trunk cable, at signal 


strength above 50 dB. Feeder cables emanate from the trunk cables. Passive devices called 
splitters divide the traffic at branching points to provide geographical coverage. 
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Cable System Functionality 


This topic describes how data services can be delivered over a cable network. 


How a Cable System Works 


Distribution Cable 


Trunk Cable r 
if Cathe ‘a i) 


Headend 
Headend: 


* Somewhat analogous to a telephone company CO 


* A facility where signals are received, processed, 
formatted, and combined 


* Cable signals transmitted on the distribution network 


The headend and its connected coaxial cables and subscribers constitute a cable system. In most 
cases, a cable system is a local operation in a given community that includes: 


= A business office 

m A variety of technical facilities, including the cable network itself 

m A warehouse where materials and spare parts are kept 

m= A storage lot where vehicles are parked and some materials are stored 


The headend is where the cable operator puts the various channels on the frequencies that are 
compatible with the cable network. 


Larger cable systems will be much more complex and may serve several communities in a 


geographical area. Big companies that operate multiple systems are called multiple service 
operators (MSOs). 
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How a Cable System Works (Cenk) 


Distribution network 


¢ Ina hybrid fiber-coaxial (HFC) architecture, optical fiber 
replaces trunk portion of the distribution network. 


¢ Small service areas, each with from as few as 100 to as many 
as 2,000 homes passed. 


¢ Fiber connects between the headend (or hub) and an optical 
node, where light is converted to RF. 


¢ From the node, RF signals are distributed throughout the 
serving area via coaxial cable. 
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The distribution network is made up of fiber and coaxial cabling, which carry television signals 
toward the subscriber. The last part, and also one of the most infamous parts of the cable 
network, is the subscriber drop. The subscriber drop includes the following: 


m Everything from the connection to the feeder out of the utility pole 
m Set-top box 

™ Grounding and attachment hardware 

= Cable 


m All the bits and pieces that make that final connection work 
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Cable System Components 


This topic describes the components of a cable system delivering data services. 


Cable System Components 


Cable Company 
Antenna Site 


Headend Transmission Network 


Subscriber Drops 


The major components of a cable system include: 
m= Antenna site: The location of main receiving antennas for broadcast and satellite reception. 


m Headend: Somewhat analogous to a CO of a telephone company. A facility where signals 
are received, processed, formatted, and combined for transmission on the distribution 
network. 


= Transportation network: Used where necessary to link a remote antenna site to a headend 
or a remote headend to the distribution network. Also used to link microwave, fiber, or 
coaxial supertrunk. 


= Distribution network: In a classic tree-and-branch cable system, trunk and feeder cables 
constitute the distribution network. The trunk is the backbone. The trunk distributes signals 
throughout the community that is being served and typically uses 0.750-inch (19 mm) 
diameter coaxial cable. The feeder branches off the trunk and passes all of the homes in the 
service area, typically using 0.500-inch (13 mm) diameter coaxial cable. 


m= Subscriber drop: Connection between the feeder portion of distribution network and the 
subscriber terminal (TV set, VCR, and so forth). Includes coaxial (typically 59-series or 
6-series coaxial cable), hardware, passive devices, and set-top box. 


This topology minimizes the amount of wiring that is required and is a natural topology for 
broadcasting. The fundamental technical problem encountered by cable TV engineers is that 
broadcast analog signal strength attenuates (weakens) as it moves through conducting material. 


Outside noise, weather, and temperature changes affect signal strength through coaxial cable. 
To combat these problems, cable operators use fiber-optic cable in place of coaxial cable 
trunks. 


Copyright © 2004, Cisco Systems, Inc. Accessing Broadband 4-43 


Hybrid Fiber-Coaxial Architecture 


4-44 


This topic describes current trends in digital cable systems. 


Hybrid Fiber-Coaxial Architecture 


Segments network into smaller serving areas 
Use of fiber minimizes cascaded devices 
Improved quality and reliability 

Reduced operating costs 
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To offer high-speed Internet services, a cable operator creates a data network that operates over 
the HFC system. To deliver data services over a cable network, one 6-MHz television channel 
(in the 50-to-750 MHz range) is typically allocated for downstream traffic to homes, and 
another 6-MHz channel (in the 5-to-42 MHz band) is used to carry upstream signals. 


A headend CMTS communicates through these channels with cable modems that are located in 
subscriber homes to create a virtual LAN connection. 


This upstream and downstream bandwidth is shared by the active data subscribers that are 
connected to a given cable network segment, typically 500 to 2,000 homes on a modern HFC 
network. The tree-and-branch network architecture for HFC can be a fiber backbone, cable area 
network, superdistribution, Fiber to the Feeder, or a ring. 


An individual cable modem subscriber may experience access speeds from 500 kbps to 
2.5 Mbps, depending on the network architecture and traffic load. 


If high usage does begin to cause congestion, cable operators have the flexibility to add more 
bandwidth for data services. A cable operator can simply allocate an additional 6-MHz video 
channel for high-speed data, doubling the downstream bandwidth that is available to users. 


Another option for adding bandwidth is to subdivide the physical cable network by running 
fiber-optic lines deeper into the neighborhoods. This practice reduces the number of homes that 
are served by each network segment and increases the amount of bandwidth that is available to 
customers. 
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Digital Signals over RF Channels 


This topic describes the current RF used in digital cable systems. 


Digital Signals over RF Channels 


tke ‘me 
Electric Waves 4——_—___—-. Radio waves —————>4-—Light Waves—> X-Rays Cosmic © 
Rays 


* Cable uses radio frequency (RF) electromagnetic energy. 
e Frequencies from a few hundred kilohertz to just below infrared. 
¢ RF Spectrum usage in sub-split cable networks has two paths: 


— Headend-to-subscriber is downstream path: 
50 MHz to 860 MHz—this is 810 MHz to RF bandwidth 


— Subscriber-to-headend is upstream path: 
5 MHz to 42 MHz—this is 37 MHz of RF bandwidth 


When you tune your FM radio across the spectrum to find different radio stations, you are 
tuning that radio to different electromagnetic frequencies across the spectrum. Cable works the 
same way. 


The cable TV industry uses the portion of the electromagnetic spectrum between approximately 
5 MHz and 1 GHz. This band is in a portion of the electromagnetic spectrum known as radio 
waves and is commonly as RF. 


Cable carries TV channels or data carriers at different frequencies. The equipment in the 
subscriber home is able to tune to those frequencies and allow the customer to view the 
channel, either on the TV or through a cable modem, and route that information to a computer. 


Cable networks can transmit signals in both directions simultaneously on the same cable. 
Outgoing frequencies to the customer are in the 50-to-860 MHz range, while the incoming 
frequencies are in the 5-to-42 MHz range. 


The downstream path is divided into 6 MHz (or 7 MHz or 8 MHz channels) as defined by a 
frequency plan. 


The cable TV spectrum has been defined by the cable industry as: 
Very high frequency (VHF) low band (TV channels 2 through 6) 
VHF midband (TV channels 98, 99, and 14 through 22) 

VHF high band (TV channels 7 through 13) 

VHF superband (TV channels 23 through 36) 

VHF hyperband (TV channels 37 and higher) 
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The upstream or the reverse path is the frequency that is used to transmit signals from the 
customer back to the cable company. The reverse path operates in the 5-to-42 MHz span. 


The upstream path has no frequency plan. It is up to the cable operator to monitor the frequency 


band of the upstream and place the data signals into clean areas where there is no interference 
from noise and other signals. Usually, the area between 5 and 15 MHz is noisy and is unusable. 
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Digital Signals over RF Channels 1Cont) 


Data-over-Cable Service Interface Specification (DOCSIS): 


¢ RF interface specification of minimum recommended technical 
performance requirements for data 


¢ Cable modem termination system (CMTS) and cable modem 
(CM) vendors must pass certification 


° CableLabs tests and grants (or withholds) DOCSIS “Certified” or 
“Qualified” status 


¢ Cable operators purchase certified/qualified equipment to 
ensure interoperability with vendors 


— Reference: 


¢ A variation is Euro-DOCSIS standards that use 7 MHz and 8 MHz 
for cable plants 


Data-over-Cable Service Interface Specifications (DOCSIS) defines specific bandwidths for 
data signals (200 kHz, 400 kHz, 800 kHz, 1.6 MHz, and 3.2 MHz) that the cable operator can 
use. 


The cable TV industry assigns the available spectrum to serve two purposes. Under the 
National Television Standards Committee (NTSC) standard, the North American TV standard, 
each country can determine its own splits and frequency assignments. DOCSIS specifications 
are based on NTSC TV channel plans. Euro-DOCSIS specifications are written for Phase 
Alternating Line (PAL) based deployments. 

There are three DOCSIS standards currently used: 

m™ DOCSIS 1.0 was the first standard. 

m DOCSIS 1.1 was the standard needed to deploy VoIP packet cable with end-to-end quality. 


™ DOCSIS 2.0, a standard in progress, will be able to provide 30 Mbps in the upstream path. 


For more information, refer to the following: 

- i ‘ficati ‘ficati ital 
S i ficati ‘ficati ee 
_ i ‘ficati ‘fications?0 html 


There is a separate set of standards for Euro-DOCSIS. This standards variation defines the 
physical layers as they fit into 7-MHz and 8-MHz plants around the world. Euro-DOCSIS 
standards specify 108 to 810 MHz for the downstream. These Euro-DOCSIS standards are: 


m SP-RFI-C01-01119 for DOCSIS 1.0, now ANSI/SCTE 22-1 2002 
m SP-RFIv1.1-108-020301 for DOCSIS 1.1, now ANSI/SCTE 23-1 2002 
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Cable Technology Terms 


This topic summarizes basic terms, standards organizations, and RF signaling terms. 


Identifying Cable Technology Terms 


Basic Cable Terms 

° Broadband 

° CATV: Originally community antenna television 
* Coaxial cable 

* Headend 

° Downstream (DS) 

° Upstream (US) 
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The following key terms are commonly used to describe cable technology basics: 


Broadband: Refers to the ability to frequency-division multiplex (FDM) many signals in a 
wide RF bandwidth over an HFC network and the ability to handle vast amounts of 
information. 


Coaxial cable: The principal physical medium with which cable TV systems are built. 
Coaxial cable is used to transport RF signals. Coaxial cable signal loss (attenuation) is a 
function of the diameter of the cable, dielectric construction, ambient temperature, and 
operating frequency (f). 


Headend: The location where the cable company aggregates, combines, mixes, and 
modulates all signals to send them downstream. Upstream signals usually are received in 
the headend. 


Downstream: RF signal flow from headend toward subscribers. Also called forward path. 


Upstream: RF signal flow from the subscribers to the headend. Also called the return or 
reverse path. 
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Identifying Cable Technology Terms ont) 


° NTSC: National Television System Committee 
* PAL: Phase Alternating Line 
¢ SECAM: Sequential Couleur avec Mémoire 
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The following are commonly used standards: 


= National Television System Committee (NTSC): This North American TV technical 
standard is named after the organization that created it in 1941. Uses a 6-MHz modulated 
signal. 

m= Phase Alternating Line (PAL): This TV system is used in most of Europe, Asia, Africa, 
Australia, Brazil, and Argentina. The color difference signals an alternate phase at the 


horizontal line rate. Uses a 6-MHz, 7-MHz, or 8-MHz modulated signal, depending on 
PAL version. 


m= Sequential Couleur avec Mémoire (S9ECAM): This TV system is used in France and 
other eastern European countries. Uses an 8-MHz modulated signal. 
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Identifying Cable Technology Terms Ont) 


° Carrier or RF carrier 

° Spectrum reuse 

° FDM: Frequency-division multiplexing 

* QPSK—Quadrature phase shift keying 

¢ QAM—Quadrature amplitude modulation 
° Carrier-to-noise: C/N (also CNR) 

* Signal-to-noise: S/N (also SNR) 


* Ingress noise 


¢e FEC: Forward error correction 


The following are important cable technology terms about RF signal handling: 


Carrier: Also RF carrier. An electromagnetic signal on which another, lower-frequency 
signal (usually baseband, such as analog audio, analog video, or digital data) is modulated 
to transport the lower-frequency signal to another location. 


Spectrum reuse: The most fundamental concept of cable TV is spectrum reuse. 
Historically, the over-the-air spectrum has been assigned to many uses: two-way radio, 
broadcasting, cellular phones, and pagers. Much of the spectrum is therefore not available 
for the carriage of just TV. The result is an inadequate supply of spectrum to serve viewer 
needs. Cable operators can reuse spectrum that is “sealed” in the coaxial cables of their 
networks. 


Frequency-division multiplexing (FDM): An RF transmission method in which a number 
of transmitters share a transmission medium. Each transmitter occupies a different 
frequency. 


Quadrature phase shift keying (QPSK): A digital modulation method in which the phase 
of the RF carrier is varied to transmit data. There are 2 bits per symbol. 


Quadrature amplitude modulation (QAM): A digital modulation method in which the 
phase and amplitude of an RF carrier are varied to transmit data. Typical QAM types are 
16-QAM (4 bits per symbol), 64-QAM (6 bits per symbol), and 256-QAM (8 bits per 
symbol). 

Carrier-to-noise (C/N): Also carrier-to-noise ratio (CNR). The difference in amplitude 
between the desired RF carrier and the noise in a defined bandwidth. 


Signal-to-noise (S/N): Also signal-to-noise ratio (SNR). Similar to C/N but relates to a 
baseband signal. 


Ingress noise: Over-the-air (OTA) signals that are coupled into the nominally-closed 
coaxial cable distribution system, generally via damaged cable, other network components, 
or poorly shielded TVs and VCRs. Difficult to track down and intermittent in nature. 


Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright #: 2004, Cisco Systems, Inc. 


= Forward error correction (FEC): In data transmission, a process by which data is added 
that is derived from the payload by an assigned algorithm. It allows the receiver to 
determine if certain classes of errors have occurred in transmission and, in some cases, 
allows other classes of errors to be corrected. 
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Cable Technology: Putting It All Together 


This topic describes the use of the various cable components and the issues surrounding the 
technologies that are described in this module. 


Putting Cable Technology All pegeer 


* Components 
— Router and HFC interface (DS/US ports) 
— Bi-directional amplifiers 
— Cable modem 
* Issues 
— Broadcast DS 
— NBMAUS 


(Hybrid 
Fiber-Coaxial} 


Distribution 


Amplifiers 


In the figure shown, the various cable technologies are combined to show how they work 
together. In the downstream path, entertainment signals come in on the left through satellite 
dishes, antennas, and analog and digital video servers. 


The signals are combined onto a coaxial cable in the headend, and then are presented to a fiber 
transmitter. The fiber transmitter converts the signals into light and sends to a fiber node 
somewhere in town. 


Farther down the distribution network, the light is converted back to an RF signal and 
distributed through an amplifier network by the use of taps and drops. 


The cable modem receives RF signals, tunes the RF signal, demodulates the data signal back 
into digital data, and then presents it to the PC. 


In the upstream path, the cable modem takes the response from the PC, modulates it to an RF 
signal, and transmits it at a specific frequency and power level. The transmission specifics are 
determined by the CMTS back into the drop, tap, distribution network, fiber, and eventually to 
the CMTS. 


The CMTS tunes the RF signal, demodulates the data signal back to digital, and routes it to the 
Internet. 
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Process for Provisioning a Cable Modem 


This topic describes the steps that provision a cable modem to work in a SOHO of a subscriber 
that uses TCP/IP. 


Process for Provisioning a Cable Modem 


iw] Internet 


Cable 
Provider 


The cable modem: 


Scans and locks on the RF data channel in the downstream 
Gets info on how to communicate in the upstream path 
Establishes terminations for Layer 1 and 2 communications 
Requests an IP address from a DHCP server 

Requests a DOCSIS configuration file from a TFTP server 
Registers any QoS 

Enables the PC-based network initialization 


There are several steps for provisioning a cable modem to operate with a host system for 
Internet services to provide Cisco Architecture for Voice, Video and Integrated Data (Cisco 
AVVID) content. 


Cable modems are designed and coded to perform these specific DOCSIS-defined steps in the 
initialization and registration sequence: 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 
Step 7 


The cable modem powering up must scan and lock on the RF data channel in the 
downstream path. 


The modem must read specific maintenance messages in the downstream path that 
inform it how, where, and when to communicate in the upstream path. 


The modem communicates with the CMTS to establish Layer 1 and 2 
communications. 


The cable modem then requests an IP address and core configuration information 
from a Dynamic Host Configuration Protocol (DHCP) server. DHCP servers must 
support RFC 2131 to provide IP addresses to the cable modem. 


The modem requests a DOCSIS configuration file from a TFTP server. DOCSIS 
configuration files are ASCH files created by special DOCSIS editors. To handle the 
request of the modem, the TFTP server must support RFC 1350. 


The cable modem registers with the CMTS, negotiating and ensuring any QoS. 


After the cable modem initiation has completed, the PC downstream from the cable 
modem can request its own IP address from a DHCP server. 
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Configuration of a Router with a Cable Modem 


This topic provides a sample configuration of a Cisco 806 router with an external cable modem. 
hostname KENSROUTER 
! 
logging rate-limit console 10 except errors 
enable secret andrewisgood 
! 
ip subnet-zero 
ip dhcp excluded-address 10.10.10.1 
! 
ip dhcp pool CLIENT 
import all 
network 10.10.10.0 255.255.255.0 
default-router 10.10.10.1 
! 
no ip dhcp-client network-discovery 
lep max-session-starts 0 
! 
! 
! 
interface Ethernet0O 
ip address 10.10.10.1 255.255.255.0 
ip nat inside 
no cdp enable 
hold-queue 32 in 
no shut 
! 
interface Ethernet1 
ip address dhcp 
ip nat outside 
no cdp enable 
no shut 
! 
ip nat inside source list 102 interface Ethernetl overload 
ip classless 
! 
access-list 102 permit ip 10.10.10.0 0.0.0.255 any 
! 
line con 0 


exec-timeout 120 0 
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stopbits 1 

line vty 0 4 

exec-timeout 0 0 

password kenisgood 

login 

! 

scheduler max-task-time 5000 


end 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
ee eee OO] 


Cable networks can offer voice and integrated data as well as 
analog and digital video. 


Cisco high-speed cable Internet equipment use the HFC 
system. 


On a cable network: 


— One 810-MHz channel carries downstream traffic from the 
headend to subscribers. 


— Another 37-MHz channel carries upstream signals from the 
subscriber toward the headend. 


DOCSIS is the cable service interface standard for data carried 
across RF interfaces. 


The DOCSIS CMTS communicates through channels with 
cable modems located in subscriber homes. 


ms, Inc, All rights reser BCRAN v2.1—4-15 
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Quiz 


Use the practice items here to review what you have learned in this lesson. The correct answers 
follow in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


Q6) 


CATV, commonly called cable TV, was invented to solve what consumer problem? 


A) no data communications 
B) cost-effectiveness 
C) poor TV reception 


D) not enough channels 


The downstream video traffic emanates from the headend and is injected into a trunk 


cable at signal strength above 


A) 25 dB 

B) 50 dB 

C) 75 dB 

D) 100 dB 

The _is the beginning of the cable distribution network. 
A) headend 

B) MSO 


C) cable system 
D) CSP 


The subscriber drop includes 

A) the set-top box 

B) the TV set 

C) every thing up to the utility pole feeder 
D) the backyard pedestal 


Which of the following does not affect signal strength through coaxial cable? 
A) weather 

B) outside noise 

C) temperature changes 


D) topology 


An individual cable modem subscriber may experience access speeds from 


A) 128 kbps to 2.5 Mbps 
B) 250 kbps to 2.5 Mbps 
C) 500 kbps to 2.5 Mbps 
D) 800 kbps to 2.5 Mbps 


Copyright © 2004, Cisco Systems, Inc. Accessing Broadband 


4-57 


4-58 


Q7) 


Q8) 


Q9) 


Q10) 


Ql1) 


Q12) 


The upstream frequencies coming from the customer are in the range of 


A) 
B) 
C) 
D) 


1.6 MHz, and 3.2 MHz) that the cable operator can use. 


A) 
B) 
C) 
D) 


5 to 42 kHz 
5 to 42 MHz 
5 to 42 GHz 


all of the above 


defines specific bandwidths for data signals (200 kHz, 400 kHz, 800 kHz, 


Euro-DOCSIS 
DOCSIS 
NTSC 

PAL 


The location where the cable company aggregates, combines, mixes, and modulates all 


signals to send them downstream is called 


A) 
B) 
C) 
D) 


A) 
B) 
C) 
D) 


headend 
DOCSIS 
NTSC 
PAL 


is the TV system used in most of Europe. 
Euro-DOCSIS 
DOCSIS 
NTSC 
PAL 


In what path are signals demodulated back to digital? 


A) 
B) 
C) 
D) 


upstream 
downstream 
CMTS 

RF 


Where does a PC receive an IP address in a CMTS? 


A) 
B) 
C) 
D) 


from headend 
from DHCP server 
from TFTP server 


from DOCSIS 
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Quiz Answer Key 


Ql) 


Q3) 


Q4) 


QS5) 


Q6) 


Q7) 


Q8) 


Cc 


Relates to: 


B 


Relates to: 


A 


Relates to: 


A 


Relates to: 


D 


Relates to: 


Cc 


Relates to: 


B 


Relates to: 


B 


Relates to: 


Relates to: 


Relates to: 


Relates to: 


Relates to: 
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Data over Cable 


Data over Cable 


Cable System Functionality 


Cable System Components 


Hybrid Fiber-Coaxial Architecture 


Digital Signals over RF Channels 


Digital Signals over RF Channels 


Cable Technology Terms 


Cable Technology Terms 


Cable Technology: Putting It All Together 


Process for Provisioning a Cable Modem 
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Defining DSL Technology 


Overview 


This lesson distinguishes among the variations of DSL and explains the various encapsulation 
methods, including Point-to-Point Protocol over ATM (PPPoA), Point-to-Point Protocol over 
Ethernet (PPPoE), and RFC 1483 Bridged. 


Relevance 


DSL technology can provide a reliable high-speed alternative for remote access to a central site. 


Objectives 
Upon completing this lesson, you will be able to perform the following tasks: 
m™ Describe DSL fundamentals 
m™ Describe the various types of DSL 
m™ Describe the distance limitations of DSL 
m™ Describe the fundamentals of ADSL 
m™ Describe how ADSL and POTS coexist 
m™ Describe encapsulation types for ADSL 
m™ Describe bridging functionality 
m™ Describe PPPoE functionality 
m™ Describe PPPoA functionality 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 


4-62 


This lesson includes these topics: 


Building Cisco Remote Access Networks (BCRAN) v2.1 


Overview 

DSL Features 

DSL Types 

DSL Limitations 

ADSL 

ADSL and POTS Coexistence 
ADSL Channels and Encoding 
Data over ADSL: Bridging 
Data over ADSL: PPPoE 
Data over ADSL: PPPoA 
Summary 


Quiz 
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DSL Features 


This topic describes the features of DSL. 


What Is DSL? 
Ra Ee Re 


DSL is a family of access technologies 
that utilize high transmission frequencies 
(up to 1MHz) to deliver high bandwidth 
over conventional copper wiring at limited 
distances. 


4kHz &80kHz2 41 MHz. 
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DSL, although considered an end-to-end solution, really occurs only in the local loop between 
the customer premises equipment (CPE) and the digital subscriber line access multiplexer 
(DSLAM). A DSLAM is the device in the CO that is used to terminate many Layer 1 DSL 
connections. Like dial, cable, wireless, and T1, DSL by itself is a Layer 1 transmission 
technology, not a complete end-to-end solution. 


DSL uses the high-frequency range of up to approximately 1 MHz. For example, asymmetric 
digital subscriber line (ADSL) uses the frequency range of approximately 20 kHz to 1 MHz. 
ADSL does not overlap the plain old telephone service (POTS) voice frequency range. 
Therefore, POTS and ADSL service can coexist over the same wire. Other DSL variants, such 
as single-line digital subscriber line (SDSL), use a frequency range that overlaps the POTS 
voice frequency range. Therefore, POTS and SDSL services cannot coexist over the same wire. 
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DSL Types 
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This topic describes the various types of DSL. 


DSL Variants Examples 
a re  E  ., Meel 


¢« Asymmetric DSL (ADSL) 


— Key feature: Slow travel upstream (from subscriber to CO), fast travel 
downstream (from CO to subscriber) 


Single-Line DSL (SDSL) 
— Key feature: Upstream and downstream speeds are the same 
G.SHDSL 


— Key feature: G.SHDSL is a new standard that was developed by the 
International Telecommunications Union (ITU) that addresses the 
worldwide SDSL market. 


Integrated Services Digital Network DSL (IDSL) 

— Key feature: No call setup 
Very-High-Data-Rate DSL (VDSL) 

— Key feature: Very high speed with shorter reach 
High-Data-Rate DSL (HDSL) 

— Key feature: Used to replace T1 or E1 service 
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DSL variants include the following: 


= ADSL: With ADSL, the connection speed for downloading data is faster than the 
connection speed for uploading data. This type of DSL service is geared more toward a 
residential application, where the typical end user is not concerned with being able to send 
large amounts of data to the Internet. ADSL is perfect for common residential high-speed 
requirements, such as downloading music or movies, playing online games, surfing the 
Internet, or receiving large e-mail messages. ADSL provides slow upstream speed for 
uploading (sending) low-data-rate requests and fast downstream speed for downloading 
bursts of rich graphics and multimedia content 


= SDSL: With SDSL, the connection speed for downloading data is exactly the same as the 
connection speed for uploading data. This type of DSL service is ideal for a commercial 
application where the end user must send large amounts of data over the Internet. SDSL is 
perfect for applications such as sending large e-mail messages with attachments to 
customers, uploading information to a company or corporate server, or updating web pages. 


m= G.SHDSL: A new standard, G.SHDSL, is a symmetric high-data-rate digital subscriber 
line, was developed by the International Telecommunication Union (ITU) that addresses 
the worldwide SDSL market. G.'SHDSL is multirate, multiservice, extended reach, and 
repeatable. Supporting data rates from 192 kbps to 2.3 Mbps, G.SHDSL delivers 
approximately 30 percent greater reach than currently deployed DSL technologies and is 
expected to rapidly replace the proprietary SDSL implementations of today. 


Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright #: 2004, Cisco Systems, Inc. 


= ISDN DSL (IDSL): IDSL is a cross between ISDN and DSL. Like ISDN, it uses a single 
wire pair to transmit full-duplex data up to 144 kbps. IDSL also uses a 2B1Q line code to 
enable transparent operation through the ISDN U interface. IDSL is essentially a leased- 
line ISDN BRI, or an ISDN BRI that is not switched and does not contain signaling (a data 
[D] channel). The line can be configured for a speed of 64 kbps, 128 kbps, or 144 kbps. 
IDSL carries only data, but is ideal for remote users because the signals can be repeated, as 
with ISDN, and because it is billed at a flat rate, thus avoiding per-call fees. 


= Very-high-data-rate digital subscriber line (VDSL): VDSL delivers 13 to 52 Mbps 
downstream and 1.5 to 2.3 Mbps upstream over a single-twisted copper pair. The operating 
range of VDSL is limited to 1,000 to 4,500 feet (304.8 to 1,372 meters). The Cisco Long 
Reach Ethernet (LRE) solution is based on Ethernet over VDSL. 


= High-data-rate digital subscriber line (HDSL): HDSL is commonly used as a T1 or El 
replacement. Because HDSL provides T1 or El speed, telephone companies have been 
using HDSL to provision local access to T1 or El services whenever possible. The 
operating range of HDSL is limited to 12,000 feet (3658.5 meters), so signal repeaters are 
installed to extend the reach. 
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DSL Limitations 


This topic describes the distance limitations of DSL. 


DSL Distance Limitations 


Max. Data Rate Max. Reach 
DSL Technology Deown/Uesliink (bpm) feat (him) Kay Attritaten 


61-55 Mbps / 1.6-2.3¥ bps 1,000 (0.3) Very fast - Short reach 


13Mbps3 / 1.5-2.3h5ps 4,500 (1.5) No Standard 


VOSL 
Coexists wilh POTS 
8Mupe f 1Mupe 
ADSL 18,000 15.5) Technology of choice for! 
1.Shlbps /640kbps | need 
IDSL 144kbps /144kbps — | 13,000 (5.6p+twirepeaters) | Ves etalin ITN OPE 


1168kbps / 1168kbps 12,000 (3.65) se sandard 


G.SHDSL “Ooktps 3 Mtoe, 28,000 (8,82) J 


¢ The tradeoff between different DSL variants is reach vs. speed. 


« Maximum Reach numbers are best-case assuming “clean” copper. 
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The trade-off among various DSL types is reach versus speed. The longer the local loop, the 
lower the maximum speed the DSL connection can support. 


For example, VDSL supports the highest speed but it has the shortest distance limitation. 


For ADSL, the maximum distance is typically about 18,000 feet (5,460 meters). To support the 
maximum ADSL download speed of 8 Mbps, the CPE must be very close to the CO, within 
several thousand feet. 


The maximum speed listed in the figure assumes that there are minimal local loop impairments. 
Here are some of the many local loop impairments that will influence the maximum speed of 
the DSL connections and the ability to obtain DSL service in an area: 


= Loading coils in the local loop: Loading coils will cut off (block) the DSL frequency. 
Loading coils are used to improve POTS quality on long local loops. They are effectively 
low-frequency band pass filters. Loading coils must be removed from the local loop to 
support DSL. 


m= Distance from CO to the DSL CPE: The longer the distance, the lower the speed. 
= Gauge of wire used in the local loop: Thicker wire supports higher speeds. 


m Wire gauge change: Changes in wire gauge cause an impedance mismatch that can reduce 
speed. 


m= Bridge taps: Bridge taps in the local loop cause reflections that can reduce speed. 


= Crosstalk: Crosstalk between different wires in the same bundle can cause interference 
that can reduce speed. 


m= AM radio: AM radio interference can also reduce speed. 
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ADSL 


This topic describes ADSL fundamental concepts. 


ADSL 
aL P| 


¢ ADSL is designed to coexist with POTS, unlike most 
other DSL types. 


¢ ADSL provides slow upstream speed for uploading 
(sending) low-data-rate requests. 


¢ ADSL provides fast downstream speed for downloading 


bursts of rich graphics and multimedia content. 
¢ ADSL features three basic modulation techniques: 


— Carrierless Amplitude and Phase 
(CAP) modulation 


— Discrete MultiTone (DMT) 
— Consumer/Mass-Market DMT (G.lite) 


NOTE: The type of modulation must match the provider. 


ADSL features three basic modulation techniques: 

™ Carrierless Amplitude and Phase (CAP) modulation 

m™ Discrete Multitone (DMT) modulation 

™ Consumer/mass-market DMT (G.lite). This technique is the most popular. 

DMT is a line code that is implemented in ITU 992.1 (G.dmt), ITU 992.2 (G.lite), and ANSI 


T1.413 Issue 2. DMT divides the 1-MHz spectrum offered by a telephone line into multiple 
4-kHz subchannels. Each subchannel is optimized based on the local loop characteristics. 


In contrast, CAP relies on a single channel for upstream and another single channel for 
downstream. 


An installer must check with the service provider to determine which modulation technique is 
being used. The modulation method used must correspond with the ADSL CPE and the ADSL 
modems on the DSLAM. 
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ADSL and POTS Coexistence 


This topic describes how ADSL and POTS coexist. 


ADSL and POTS Coexistence 


STANDARD 
ANALOG PHONE 


FP ae NIC RORILTER 


Customer Premises Central Office 
* ADSL permits transmission of voice and data signals on the samewire pair. 
* Offloads data circuits from the voice switch. 
* POTS splitter at the CO separates analog POTS from data. 


* Microfilters at customer premises percent off-hook interference between 
analog voice signal and ADSL signal. 


tems, Inc. All rights reserved, BCRAN v2.1—4-6 


ADSL is designed to coexist with POTS voice service because ADSL does not overlap the 
POTS frequency range. ADSL and POTS can be carried over the same wire (local loop) to the 
Co. 


A POTS splitter at the CO splits up the POTS (voice) and ADSL (data) traffic. The POTS 
traffic goes to the voice switch in the CO, and the ADSL traffic goes to the DSLAM in the CO. 
The POTS splitter is a passive device. In the event of a power failure, the voice traffic will still 
be carried to the voice switch in the CO. 


ADSL offloads the data (modem) traffic from the voice switch and keeps analog POTS separate 
from data. Separating voice and data traffic provides fail-safe 911 emergency-call services for 
POTS operation in the United States. 


At the customer premises, a POTS splitter can be installed at the network interface device 
(NID) by the service provider technician. However, this process will require a trunk roll 
(having a technician go out to the customer site to install the POTS splitter) to set up the ADSL 
service. Instead of installing a POTS splitter at the NID, most installations today use 
microfilters. Microfilters can be installed by the customer and prevent off-hook interference 
between the analog voice signal and ADSL signal. A microfilter is a passive low-pass filter 
with two ends. One end connects to the telephone, and the other end connects to the telephone 
wall jack. 


4-68 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright #: 2004, Cisco Systems, Inc. 


ADSL Channels and Encoding 


This topic describes the encapsulation types for ADSL. 


ADSL Channels and Encoding 


CAP 


Downstream data 
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There are two competing and incompatible standards for ADSL. The official American 
National Standards Institute (ANSI) and ITU standard for ADSL is DMT. Most of the ADSL 
equipment installed today uses DMT. An earlier and more easily implemented modulation 
method was the CAP system, which was used on many of the early installations of ADSL. 
Unlike DMT, CAP is proprietary. 


CAP operates by dividing the signals on the telephone line into three distinct bands. Voice 
conversations are carried in the 0-to-4 kHz band, because they are in all POTS circuits. The 
upstream channel is carried in a band between 25 and 160 kHz. The downstream channel 
begins at 240 kHz and goes up to a point that varies, depending on a number of conditions (line 
length, line noise, or number of users in a particular telephone company switch) but has a 
maximum of about 1.5 MHz. This system, with the three channels widely separated, minimizes 
the possibility of interference between the channels on one line or between the signals on 
different lines. 
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ADSL Basics—CAP vs DMT 


Modulation 
_——— ee Co | 


DMT 
Duplex 4 kHz Subchannels Downstream 4 kHz Sub-Channels 


163 1100 kHz 
Frequency 
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DMT also divides signals into separate channels, but does not use two fairly broad channels for 
upstream and downstream data. Instead, DMT divides the data into 250 separate channels, each 
4 kHz. Each channel is monitored and, if the quality is too impaired, the signal is shifted to 
another channel. This system constantly shifts signals among different channels, searching for 
the best channels for transmission and reception. Because DMT uses 250 channels, it is more 
complex to implement than CAP, but it gives more flexibility on lines of differing quality. 


G.lite is a less complex version of the DMT standard. Also known as half-rate DMT, G.lite uses 


only half as many subchannels as DMT and supports a lower maximum downstream speed of 
1.5 Mbps and a maximum upstream speed of 640 kbps. 
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Data over ADSL: Bridging 


This topic describes bridging functionality. 


Data over ADSL: Bridging 


OHCP Server ISP/Corp 
Router 


P= 192. 168,1.4/24 
GWe= 102.964 1 
* Subscriber Ethernet traffic is bridged over ATM using ATM Adaptation Layer 5 (AALS5). 
* All subscribers are in the same broadcast domain (this is bridging). 

° Bridged traffic can be routed via the BVI interface at the aggregation router. 

* The BVI IP address is the end user’s PCs default gateway. 

* Bridging does not scale well. 


DSL is a high-speed Layer | transmission technology that works over copper wires. ATM is 
used as the data-link layer protocol over DSL. 


A DSLAM is basically an ATM switch containing DSL interface cards. The DSL Layer 1 
connection from the CPE is terminated at the DSLAM. The DSLAM terminates the ADSL 
connections, then switches the traffic over an ATM network to an aggregation router. For 
example, the Cisco 6160 DSLAM has an OC-3 ATM uplink and can terminate up to 256 DSL 
subscriber lines. 


There are three major approaches to encapsulating an IP packet over an ATM/DSL connection: 
m RFC 1483/2684 Bridged 

m PPPoE 

m PPPoA 


RFC 1483/2684 describes two methods for carrying the traffic over an ATM network. These 
methods are routed and bridged protocol data units (PDUs). This topic examines only the 
bridged method. 

Using RFC 1483 Bridging, the ADSL CPE is bridging the Ethernet frame from the PC of the 
end user to the aggregation router (this process will be similar in PPPoE). 

At the aggregation router, integrated routing and bridging (IRB) can be used to provide the 
ability to route between a bridge group and a routed interface using a concept called Bridge- 
Group Virtual Interface (BVI). The BVI, a virtual interface within the router, acts like a normal 
routed interface that does not support bridging, but represents the corresponding bridge group 
to routed interfaces within the router. 
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Some of the advantages of bridging are as follows: 


m Bridging is simple to understand and to implement because there are no complex issues of 
routing, authentication requirements for users, and so forth. 


m The CPE in bridge mode acts as a dumb device and does not require any routing 
functionalities. 


m™ Troubleshooting is minimal because whatever comes in from the Ethernet side passes 
(bridged) over to the ATM WAN side. 


m™ Bridging architecture is easy to install because of its simple nature. 


m™ Bridging is ideal for single-user Internet access, because the CPE acts as a set-top box. 
There is no complex troubleshooting required for upper-layer protocols and there is no 
requirement for additional client software installation on the end-user PCs. 


Some of the disadvantages of bridging are as follows: 
m Bridging depends heavily on broadcasts to establish connectivity. 


m= Bridging broadcasts to thousands of users and is inherently unscalable. It consumes 
bandwidth across the xDSL loop of users and requires resources at the headend router to 
replicate packets for the broadcast over a point-to-point (ATM permanent virtual circuit 
[PVC]) medium. 


m™ Bridging is inherently insecure and requires a trusted environment because Address 
Resolution Protocol (ARP) replies can be spoofed and a network address can be hijacked. 


m= Broadcast attacks can be initiated on the local subnet, which will deny service to all 
members of the local subnet. 


m IP address hijacking is possible in a bridge environment. 


= Ina bridged environment, a DHCP server located at the service provider traditionally 
allocates IP addresses to the end-user PC. The BVI IP address is the end-user PCs default 
gateway. 


Certain Internet service providers (ISPs) have used an approach of providing illegal IP 
addresses to their subscribers and then performing Network Address Translation (NAT) at the 
service provider aggregation router. However, this approach does not scale very well as the 
number of subscribers increases because the large number of address translations tax the 
processing power and memory requirements of the router. 


RFC 1483 Bridging is more suitable for smaller ISPs or corporate access, where scalability 
does not become an issue. RFC1483 Bridging has become the choice of many smaller ISPs 
because it is very simple to understand and implement. However, security and scalability issues 
are causing bridging architecture to lose its popularity. 


ISPs are now opting for PPPoA or PPPoE, which are more scalable and much more secure than 
bridging, but are more complex and not very easy to implement. 
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Data over ADSL: PPPoE 


This topic describes PPPoE functionality. 


Data over ADSL: PPPoE 


Aggregation router 
terminates Ue PPP SE 


suTNeSiT. 


Fo with a PPPoE client Agpregation router establishes 
2 host route to 192. 168.1.90 


= ; ence PPP sessice is established 
IP 192.168.1.10 Aggregation 
Row 


GYi points to 


Aggregation Router al loop 


F loe 
CPE in Bridged Mode 
like RFC 1483/2684 Bridging 


ISP/COrp. 
Rowter 5 


Either workstation has special PPPoE Client software loaded 
or the CPE device can be configured to act as the PPPoE Client. 
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PPPoE is also a bridged solution, similar to RFC 1483/2684 Bridging. As with RFC 1483/2684 
Bridging, the CPE is bridging the Ethernet frames from the PC of the end user to an 
aggregation router over ATM. But in this case, the Ethernet frame is carrying a PPP frame 
inside it. The PPP session is established between the end-user PC (the PPPoE client) and the 
aggregation router. 


In the PPPoE architecture, the PC of the end user runs the PPPoE client software to connect to 
the ADSL service. The PPPoE client software first encapsulates the end-user data into a PPP 
frame, and then the PPP frame is further encapsulated inside an Ethernet frame. The IP address 
allocation for the PPPoE client is based on the same principle as PPP in dial mode, which is via 
IP Control Protocol (IPCP) negotiation, with Password Authentication Protocol (PAP) or 
Challenge Handshake Authentication Protocol (CHAP) authentication. The aggregation router 
that authenticates the users can use either a local database on the aggregation router or a 
RADIUS (authentication, authorization, and accounting [AAA]) server. 


PPPoE provides the ability to connect a network of hosts over a simple bridging CPE to an 
aggregation router. With this model, a host uses its own PPP stack and the user is presented 
with a familiar user interface (using the PPPoE client software) similar to establishing a dialup 
connection. Unlike PPPoA, access control, billing, and type of service can be controlled on a 
per-user, rather than a per-site, basis. 
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Note If supporting end-user PPPoE client software is undesirable, then CPE such as the Cisco 
827 router can be configured as the PPPoE client. In this case, the Cisco 827 router acts as 
a router rather than as a simple bridge. It can also act as the DHCP server and use 
NAT/Port Address Translation (PAT) to allow multiple users behind the router to connect to 
the service providers using a single ADSL connection and a single PPP username and 
password. 


Note If an external ADSL modem is used, a Cisco 806 router can be used behind the ADSL 
modem, and the Cisco 806 router can be configured as the PPPoE client. The Cisco 806 
router can also act as the DHCP server and use NAT/PAT to allow multiple users behind the 
router to connect to the service providers using a single ADSL connection and a single PPP 
username and password. 
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Data over ADSL: PPPoE on 


« PPP session is from the end user PC to the aggregation router. 
* Subscriber PC IP address assigned by the aggregation router via IPCP. 


ISP/Corp 


PADS { Session iD 
LOPAPCP 
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PPP normally works over a point-to-point connection only. Additional enhancements to PPP 
were needed to support PPP over an Ethernet multiaccess environment. 


As specified in RFC 2516, PPPoE has two distinct stages, a discovery stage and a PPP session 
stage. 


When the discovery stage is complete, both PPPoE peers know the PPPoE session ID and the 
other Ethernet address of the peer, which together uniquely define the PPPoE session. There are 
four steps to the discovery stage: 


Step 1 The PPPoE client (end-user PC) broadcasts a PPPoE Active Discovery Initiation 
(PADI) packet. 


Step 2 The PPPoE server (aggregation router) sends a PPPoE Active Discovery Offer 
(PADO) packet. 


Step 3 The PPPoE client sends a unicast PPPoE Active Discovery Request (PADR) packet 
to the PPPoE server. 


Step 4 The PPPoE server sends a PPPoE Active Discovery Session-Confirmation (PADS) 
packet. 


PPP then goes through the normal link control protocol (LCP) and Network Control Protocol 
(NCP)-(IPCP) process. 


When a host initiates a PPPoE session, it must first perform discovery to identify which PPPoE 
server can meet the client request. Then, the host must identify the Ethernet MAC address of 
the peer and establish a PPPoE session ID. Although PPP defines a peer-to-peer relationship, 
discovery is inherently a client-server relationship. In the discovery process, a host (the PPPoE 
client) discovers an aggregation router (the PPPoE server). 
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There may be more than one PPPoE server that the host (the PPPoE client) can communicate 
with, based on the network topology. The discovery stage allows the host to discover all PPPoE 
servers and then select one. 


When discovery has been completed successfully, both the host and the selected PPPoE server 
have the information they will use to build their point-to-point connection over the Ethernet. 
After the PPPoE session begins, PPP goes through the normal LCP and NCP (IPCP) process. 


A PPPoE Active Discovery Terminate (PADT) packet may be sent anytime after a session has 
been established to indicate that a PPPoE session has been terminated. Either the host or the 
PPPoE server may send it. 


For more information on the PPPoE specification, refer to RFC 2516. 
Note As per RFC 2516, the maximum-receive-unit (MRU) option must not be negotiated to a size 
larger than 1492 bytes, because Ethernet has a maximum payload size of 1500 octets. The 


PPPoE header is 6 octets and the PPP protocol ID is 2 octets, so the PPP MTU must not be 
greater than (1500 — 8) 1492 bytes. 
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Data over ADSL: PPPoA 


This topic describes PPPoA functionality. 


Data over ADSL: PPPoA 


4—DHCP Server Aggregation 
——— 


i 


—_— «LOPS 
———— es Py 


¢ PPP session is from the CPE to the aggregation router. 
¢ CPE receives an IP address via IPCP like the dial model. 
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PPPoA is a routed solution, unlike RFC 1483 Bridged and PPPoE, where the CPE is set up as a 
bridge. With PPPoA, the CPE is routing the packets from the PC of the end user over ATM to 
an aggregation router. The PPP session is established between the CPE and the aggregation 
router. Unlike PPPoE, PPPoA does not require a host-based software. 


The CPE device must have a PPP username and password configured for authentication to the 
aggregation router that terminates the PPP session from the CPE. The aggregation router that 
authenticates the users can either use a local database on the aggregation router ora RADIUS 
(AAA) Server. The PPPoA session authentication can be based on PAP or CHAP. After the 
PPP username and password have been authenticated, IPCP negotiation takes place and the IP 
address is assigned to the CPE. After the IP address has been assigned, a host route is 
established both on the CPE and the aggregation router. The aggregation router must assign 
only one IP address to the CPE, and the CPE can be configured as a DHCP server and use 
NAT/PAT to support multiple hosts connected via Ethernet behind the CPE. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
es nas OO] 


* ADSL provides faster downloading speed than 
uploading speed. 


¢ SDSL provides exactly the same downloading and 
uploading speeds. 


* ADSL is designed to co-exist with POTS because 
there is a POTS splitter at the CO. 


° The trade-off between different DSL types is reach 
versus speed. 


¢ The three common encapsulation methods are: 
RFC1483/2684 Bridging, PPPoE, and PPPoA. 
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Quiz 
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Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) DSL utilizes high transmission frequencies up to what limit? 


A) 1 MHz 
B) 2 MHz 
C) 3 MHz 
Q2) Which of the following DSL variants offers symmetric speed up to 2.3 Mbps and is an 
ITU standard? 
A) IDSL 
B) ADSL 
C) SDSL 


D) G.SHDSL 


Q3) Which DSL variant offers the highest speed but the shortest reach? 


A) VDSL 
B) ADSL 
C) _ IDSL 

D) ‘SDSL 


E) G.SHDSL 


Q4) The typical maximum distance limit for ADSL service is 
A) 18,000 feet 
B) 22,000 feet 
C) 30,000 feet 
D) 5,000 feet 


Q5) — Which three of the following are ADSL modulation methods? (Choose three.) 


A) CAP 

B) DMT 
C) — Gllite 
D)  2BI1Q 
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Q6) ADSL is designed to coexist with POTS because ; 
A) the ADSL CPE combines voice and data signals 
B) the DSLAM can be configured to separate the voice and data traffic 


C) separate sets of transmission wires are used to transmit the voice and data 
traffic 


D) a POTS splitter at the CO separates voice and data frequency 


Q7) Which ADSL modulation method uses 250 subchannels that are 4 kHz each? 


A) CAP 

B) DMT 
C)  Gllite 
D)  2BI1Q 


Q8) Which three of the following are among the advantages of bridging? (Choose three.) 
A) The CPE in bridge mode acts as a dumb device. 


B) IP address hijacking is possible in a bridge environment. 

C) Bridging architecture is easy to install because of its simple nature. 

D) Bridging is very simple to understand and implement because there are no 
complex issues about routing, authentication requirement for users, and so 
forth. 


Q9) With the PPPoE client software running on the end-user PC, the PPP session is 
established between which two devices? 


A) the end-user PC and the aggregation router 
B) the ADSL CPE and the aggregation router 
C) the end-user PC and the ADSL CPE 

D) the ADSL CPE and the DSLAM 


Q10) PPPoEis specifiedin | 
A) RFC 2516 
B) RFC 2545 
C) RFC 2216 
D) RFC 2534 
Q11) When using PPPoE, the MTU should be set to what size? 
A) 1492 bytes 
B) 1500 bytes 
C) 1508 bytes 
D) 1518 bytes 
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Q12) PPP over ATM requires which two of the following: (Choose two.) 
A) host-based software on the end-user PC 
B) no host-based software on the end-user PC 
C) the CPE to be set up as a bridge 
D) the CPE to be set up as a router 


Q13) With PPPoA, the PPP session is established between which two devices? 
A) the end-user PC and the aggregation router 
B) the ADSL CPE and the aggregation router 
C) the end-user PC and the ADSL CPE 
D) the ADSL CPE and the DSLAM 
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Quiz Answer Key 
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Ql) 


Q2) 


Q3) 


Q4) 


Q5) 


Q6) 


Q7) 


Q8) 


Q9) 


Q10) 


Ql1) 


Q12) 


Q13) 


A 


Relates to: 


D 


Relates to: 


A 


Relates to: 


A 


Relates to: 


A,B,C 


Relates to: 


D 


Relates to: 


B 


Relates to: 


A, C, D 


Relates to: 


A 


Relates to: 


A 


Relates to: 


A 


Relates to: 


B,D 


Relates to: 


B 


Relates to: 


DSL Features 


DSL Types 


DSL Limitations 


DSL Limitations 


ADSL 


ADSL and POTS Coexistence 


ADSL Channels and Encoding 


Data over ADSL: Bridging 


Data over ADSL: PPPoE 


Data over ADSL: PPPoE 


Data over ADSL: PPPoE 


Data over ADSL: PPPoA 


Data over ADSL: PPPoA 
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Configuring the CPE as the 
PPPoE Client 


Overview 


PPPoE provides the ability to connect a network of hosts over a simple bridging access device 
to an aggregation router. Normally, the end-user PC uses the PPPoE client software on the PC 
to connect to the DSL service. However, instead of using the PPPoE client software on the end- 
user PC, the CPE can be configured as the PPPoE client. This configuration will allow multiple 
PCs behind the CPE to connect to the DSL service using a single DSL connection and PPP 
username and password. In this case, the CPE would be configured for routing. This lesson 
discusses how to configure the Cisco 827 router CPE as the PPPoE client. 


Relevance 


This lesson provides an overview of the configuration of a PPPoE client on the Cisco 827 
router CPE. 


Objectives 


Upon completing this lesson, you will be able to: 


List the tasks required to successfully configure a PPPoE client connection on a Cisco 827 
router 


List and explain the commands required to configure a PPPoE client on a Cisco 827 router 


List and explain the commands required to enable a dynamic IP address to be assigned via 
IPCP 


List and explain the commands required to configure PAT to scale DSL operations 


List and explain the commands required to configure DHCP to scale DSL operations 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the /ntroduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the /nterconnecting Cisco Network Devices (ICND) course 


Outline 
This lesson includes these topics: 
m™ Overview 
= Configuration of a Cisco 827 Router as the PPPoE Client 
= Configuration of PPPoE ina VPDN Group 
= Configuration of a PPPoE Client 
= Configuration of the PPPoE DSL Dialer Interface 
= Configuration of PAT 
m= PAT Configuration Example 
™ DHCP to Scale DSL 
= Configuration of a DHCP Server 
= Configuration of a Static Default Route 
m PPPoE Sample Configuration 
= Summary 


= Quiz 
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Configuration of a Cisco 827 Router as the 
PPPoE Client 


This topic describes the configuration tasks that are required to configure a Cisco 827 router as 
the PPPoE client. Configuring DSL requires global and interface configuration commands. 


Configuration Tasks: 
Configuring the CPE as the PPPoE Client 


* Configure a PPPoE virtual private data network 
(VPDN) group 


¢ Configure the ATM Interface 

¢ Configure a Dialer Interface 

* Configure Port Address Translation 
¢ Configure DHCP Server 

° Configure a Static Default Route 


Use the PPPoE DSL configuration tasks listed here in addition to dial-on-demand routing 
(DDR)-derived commands. 


1. Configure a PPPoE virtual private dialup network (VPDN) group. 


2. Configure the ATM interface (ADSL interface) of the Cisco 827 router with an ATM PVC 
and encapsulation. 


3. Create and configure the dialer interface of the Cisco 827 for PPPoE with a negotiated IP 
address and an MTU size of 1492. 


4. Configure PAT on the Cisco 827 router to allow sharing of the dynamic public IP address 
of the dialer interface. 


5. Configure the Cisco 827 router to allow it to be the DHCP server for the end-user PCs 
behind it. 


6. Configure a static default route on the Cisco 827 router. 
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Configuration of PPPoE in a VPDN Group 


This topic describes how to configure PPPoE in a VPDN group. VPDN is a Cisco standard that 
enables a private network dial-in service to span remote access servers. 


PPPoE VPDN Configuration 
ee ___ise9.c0m 


Router (config) #vpdn enable 


¢ Enables VPDN on the router 


Router (config) #vpdn-group name 


* Creates a VPDN group 


Router (config-vpdn-req-in) #request-dialin 
Router (config-vpdn-req-in)#protocol pppoe 


* Creates a request-dialin VPDN subgroup and 
enables the subgroup to establish PPPoE sessions 


VPDN permits networks to extend beyond the physical central network while giving to remote 
users the appearance and functionality of being directly connected to a central network. 


To enable PPPoE in a VPDN, use the enable vpdn command in global configuration mode. 
Next, use the vpdn-group name command in global configuration mode to create a VPDN 


group. Use the commands in the table to configure the VPDN group parameters in config-vpdn 
mode. 


VPDN Commands 


Command Description 
request-dialin Creates a request-dial-in VPDN subgroup 
protocol pppoe Enables the VPDN subgroup to establish PPPoE sessions 
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Configuration of a PPPoE Client 


This topic describes how to configure a PPPoE client. After the VPDN group has been defined, 
the ATM interface must be configured. 


PPPoE Client Configuration 
CT 


Router (config) #interface atm number 


* Configure the ATM interface 


Router (config) #pve vpi/vci 


° Identify the VPI/VCI virtual circuits 


Router (config-if-atm-vc) #pppoe-client dial-pool-number number 


* Bind a dialer profile to the ATM interface 


Configure the ATM interface (ADSL interface) of the Cisco 827 router with an ATM PVC and 
encapsulation. 


To configure a PPPoE client on an ATM interface, use the interface atm number command in 
global configuration mode to enter interface configuration mode. 


Next, specify the virtual path identifier/virtual channel identifier (VPI/VCI). A virtual path is a 
logical grouping of virtual circuits (VCs) that allows an ATM switch to perform operations on 
groups of VCs. A virtual channel describes a logical connection between the two ends of an 
ATM VC. A PPPoE deployment offers no easy way to dynamically discover the PVC 
(VPI/VCI) values. The DSL service provider will provide the VPI/VCI value to use in the 
Cisco 827 router. 


To configure the VPI/VCI, use the pve vpi/vci command. 


Note ATM cells consist of five bytes of header information and 48 bytes of payload data. The VPI 
and VCI fields in the ATM header are used to route cells through ATM networks. The VPI 
and VCI fields of the cell header identify the next network segment that a cell must transmit 
on its way to its final destination. 


Next, configure the PPPoE client encapsulation and specify which dialer interface to use. Use 
the pppoe-client dial-pool-number number command to bind the ATM interface to a dialer 
interface to set the encapsulation to PPPoE client. 


Finally, configure the ATM interface by default with the dsl operating-mode auto command. 
This default value should not be altered because it allows the Cisco 827 router to automatically 
detect the proper modulation method to use. 
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Configuration of the PPPoE DSL Dialer Interface 


This topic describes the commands that are required to configure a DSL dialer interface. After 
the ATM interface has been configured, the dialer interface must be configured. 
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Configuring the PPPoE Dialer Interface 
et SAO | 


interfaces ATMO/O0 
no ip address 


dsl operating-mode auto 
pvc 8/35 
pppoe-client dial-pool-nunber 1 


interface Dialerd 
ip address negotiated 


encapsulation ppp 
dialer pool 1 

no cdp enable 

ip mtu 1492 


ppp chap hostname cisco 
ppp chap password cisco 
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Use the commands in the table for PPPoE DSL dialer configuration. 


Dialer Commands for DSL 


Command 


ip address negotiated 


Description 


Enables a dynamic address from the service provider using IPCP. With 
IPCP, DSL routers automatically negotiate a globally unique (registered or 
public) IP address for the dialer interface from the service provider 
aggregation router. 


encapsulation ppp 


Specifies PPP encapsulation for the dialer interface. 


dialer pool number 


Specifies to which pool the dialer interface is assigned. 


no cdp enable 


Stops Cisco Discovery Protocol (CDP) advertisements from going out the 
dialer interface. 


ip mtu 1492 


Reduces the maximum Ethernet payload size from 1500 to 1492. (PPPoE 
header requires 8 bytes). 


dialer-group number 


Configures the dialer group number that will correspond with a dialer list to 
identify interesting traffic. 


Note Unlike ISDN DDR configuration, DSL is always on. Therefore, a dialer list is not required to 
identify interesting traffic. 
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Configuration of PAT 


This topic describes how to configure addressing translations using PAT. 


Router (config) #ip nat inside source list 101 interface Dialer0d 
overload 


* Enable dynamic translation of addresses using the 
assigned IP address of the Dlaler0 interface 


¢ Ethernet interface as inside and the Dialer interface 
as outside 


NAT overload, commonly referred to as PAT, and PPP/IPCP are popular techniques used to 
scale limited addresses. Using NAT overload means that you can use one registered IP address 
for the interface to access the Internet from all devices in the network. 


Copyright © 2004, Cisco Systems, Inc. Accessing Broadband 4-89 


PAT Configuration Example 
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This topic describes an example of configuring PAT. 


PAT Configuration Example 
OR | 


' 
interface Etherneto 


ip address 10.0.0.1 255.0.0.0 
ip nat insice 
' 


interface DialerO 

ap address negotiated 
ip nat outsaida 
encapsulation ppp 
dialer peel 1 

no cdp enable 


ppp chap hostname ciaceo 
Ppp chap password 7 1511021F0725 
' 


ip nat inside source list 101 interface Dialer? overload 
access-list 101 permit ip 10.0.0.0 0.255.255.255 any 
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The figure illustrates a sample PAT configuration on the Cisco 827 router. 
The access list will match any source address in the 10.0.0.0 network. 


In this example, the Dialer0 interface is the outside interface, and the Ethernet0 interface is the 
inside interface. 


The 10.x.x.x source addresses will be translated using PAT to the Dialer0 IP address. The 
Dialer0 interface receives its IP address from the service provider aggregation router using 
IPCP. 
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DHCP to Scale DSL 


This topic describes how to scale DSL. 


Configure a DHCP Server 


Router (config)#ip dhcp pool [pool name] 


* Enable a DHCP pool for use by hosts 


° Specify the network and subnet mask of the pool 


Router (dhcp-config) #default-router [host address] 


° Specify the default router for the pool to use 


The Cisco IOS DHCP Server feature is a full implementation that assigns and manages IP 
addresses from specified address pools within the router to DHCP clients. After a DHCP client 
has booted, the client begins sending packets to its default router. The IP address of the default 
router should be on the same subnet as the client. 


The Cisco IOS DHCP Server was enhanced to allow configuration information to be updated 
automatically. Network administrators can configure one or more centralized DHCP servers to 
update specific DHCP options within the DHCP pools. The remote servers can request or 
“import” these option parameters from the centralized servers. 
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Configuration of a DHCP Server 


This topic describes how to configure the Cisco 827 router as the DHCP server for the end-user 
PCs behind the router Ethernet interface. 


DHCP Server Configuration Example 
ee nd ee ae | 


hostname dslrouter 

' 

ip dhcp pool teaml1 
import all 


network 10.0.0.0 255.0.0.0 


default-—-router 10.0.0.1 
' 


interface Ethernet0 
ip address 10.0.0.1 255.0.0.0 
ip nat inside 
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To configure a DHCP address pool on a Cisco IOS DHCP Server and enter DHCP pool 
configuration mode, use the ip dhcp pool name global configuration command. 


To import DHCP option parameters into the Cisco IOS DHCP Server database, use the 
import all DHCP pool configuration command. This example uses PPP IPCP. 


To configure the subnet number and mask for a DHCP address pool on a Cisco IOS DHCP 
Server, use the network network-number [mask | prefix-length| DHCP pool configuration 
command. 


To specify the default router list fora DHCP client, use the default-router address 
[address2...address8| DHCP pool configuration command. Note that the DHCP server excludes 
this address from the pool of assignable addresses. 


The commands in the table here allow individual configuration of which DHCP option 
parameters are requested. 


ppp ipcp Commands 


Command Description 


ppp ipcp dns request Requests the Domain Name System (DNS) server addresses 
from the peer 


ppp ipcp wins request Requests the Windows Internet Name Service (WINS) server 
addresses from the peer 
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Configuration of a Static Default Route 


This topic describes how to configure a default static route. 


Configuring a Static Default Route 


Router (config)#ip route 0.0.0.0 0.0.0.0 dialerd 


° The CPE can use a static default route to reach all 
remote destinations 


Configure a static default route on the Cisco 827 router to allow the router to reach all unknown 
destinations toward the dialer interface. In most DSL installations, the CPE will not be running 
a dynamic routing protocol to the aggregation router of the service provider. Therefore, a static 
default route is required on the Cisco 827 router. 


When the PPPoE session has been established between the Cisco 827 router and the 
aggregation router of the service provider, the dialer interface IP address is assigned from the 
service provider aggregation router via IPCP. The service provider aggregation route will 
automatically build a host route to reach the Cisco 827 router-dialer interface. 
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PPPoE Sample Configuration 
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This topic describes an example of a complete PPPoE configuration. 


PPPoE Sample Configuration 


hostname dolrouter 
‘ 


ip chop pool teanl 
network 10.0.9.0 285.0.0.9 
default-router 10.0.0.1 


! 
vpdn enable 
1 


VPain-group pppee 
xrequest~cGialio 
protecs. pppoe 
' 
interface ATMO/C 
Two ip adaresse 
ixl opermtancg made mute 


coolesucnier 1 


interface Ethernet 
ip address 10.0.0.1 255.0.0.0 
ap ual inside 
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interface Dialesd 
ap achicess negutiated 
encapsulatice rep 
dialer rool 1 
ap mtu 1492 
=D nat sutsice 
PSP authentication ches callin 
Pep chisp pesavosd myseccet 
' 
ap sal inside scurce list 11 
anverclace Dialex? overload 
access list 101 permit op 10.0.5.0 
0.255.255.255 any 


ap cemate 0.9.0.0 0.0.0.9 Diwlerd 
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The sample shows the commands for configuring DHCP services and the commands for setting 
up static default routing. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
oe SL SIN P| 


¢ Configuring DSL requires global and interface 
configuration commands. 


° In DSL, an ATM VCI/VPI pair must be configured to 
match the service provider. 


¢ After the ATM interface is configured, the dialer 
interface must be configured. 


¢ The Cisco 827 router performs PAT and serve as a 
DHCP server for the end-user PCs. 


° A static default routes is configured on the Cisco 
827 router. 
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Quiz 
Use the practice items here to review what you learned in this lesson. The correct answers are 


found in the Quiz Answer Key. 


Ql) When configuring a PPPoE client on the Cisco 827 router, on which interface is the 
MTU size set to 1492? 


A) the Ethernet interface 
B) the ATM interface 
C) the serial interface 


D) the dialer interface 


Q2) Which PPPoE configuration command is used to establish PPPoE sessions? 
A) request-dialin 
B) protocol pppoe 
B) enable vpdn 
C) vpdn enable 
D) vpdn-group name 
Q3) = Which ATM interface configuration command is used to set the VPI/VCI on a Cisco 
router? 
A) encapsulation pve 1/32 
B) pve 1/32 
C) interface-dlci 1/32 
D) vpi/vei 1/32 
Q4) — Which dialer interface command sets the maximum Ethernet payload size from 1500 to 
1492? 
A) mtu 1492 
B) ip mtu 1492 
B) 1492 mtu 


C) no such command 
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Quiz Answer Key 


Ql) D 
Relates to: Configuration of a Cisco 827 Router as the PPPoE Client 
Q2) B 
Relates to: Configuration of PPPoE ina VPDN Group 
Q3)  B 
Relates to: Configuration of a PPPoE Client 
Q4)  B 


Relates to: Configuration of the PPPoE DSL Dialer Interface 
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Configuring DSL with PPPoA 


Overview 


DSL is an ideal solution for high bandwidth remote access to a central site. 


Relevance 


This lesson provides an overview of the concepts and configuration of PPPoA on a Cisco 827 
router CPE. 


Objectives 


Upon completing this lesson, you will be able to: 


List the tasks required to successfully configure a Cisco 827 router for PPPoA DSL 
connection 


List and explain the commands required to configure an ATM interface for PPPoA 


List and explain the commands required to configure a dialer interface for PPPoA 
operations 


List and explain the commands required to configure PAT to scale DSL operations 


List and explain the commands required to configure a DHCP server to scale DSL 
operations 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


All knowledge presented in the /ntroduction to Cisco Networking Technologies (INTRO) 
course 


All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 


4-100 


This lesson includes these topics: 


Overview 

Configuration of a PPPoA DSL Connection 
DSL Modulation Configuration 
Configuration of the DSL ATM Interface 
Configuration of the DSL Dialer Interface 
Configuration of PAT 

PAT Configuration Example 

DHCP to Scale DSL 

Configuration of a Static Default Route 
PPPoA Sample Configuration 

Summary 


Quiz 
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Configuration of a PPPoA DSL Connection 


This topic provides a list of configuration tasks that are required to configure a PPPoA DSL 
connection. Configuring DSL requires global and interface configuration commands. 


Configuration Tasks for DSL 


¢ Configure the ATM Interface 

* Configure a Dialer Interface 

* Configure Port Address Translation 
* Configure DHCP 

* Configure a Static Default Route 
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Use the tasks listed here in addition to DDR-derived commands to configure DSL: 


1. 


Configure the ATM interface (ADSL interface) of the Cisco 827 router with an ATM PVC 
and encapsulation. Specify the VCI/VPI that has been assigned by the service provider. 
Assign the ATM interface to a dialer pool. 


Configure a dialer interface. Use IPCP IP address negotiation and PPP CHAP or PAP 
authentication. 


Configure PAT. 
Configure DHCP. The Cisco 827 router can be the DHCP server for the end-user PCs. 


Configure a static default route. 
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DSL Modulation Configuration 


This topic describes the dsl operating-mode command. Selecting the correct DSL modulation 
is crucial when configuring DSL. 


DSL Modulation Configuration 
ee | 


Router (config) #interface atm 0 
Router (config-if)#dsl operating-mode auto 


° Permits the router to automatically determine the 
service provider’s DSL modulation. 


° This is the default setting on the Cisco router. 


Use the dsl operating-mode auto interface configuration command to specify that the router 
will automatically detect the DSL modulation that the service provider is using and set the DSL 
modulation to match. 


An incompatible DSL modulation configuration can result in failure to establish a DSL 
connection to the DSLAM of the service provider. 
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Configuration of the DSL ATM Interface 


This topic lists and explains the command required to configure the ATM interface on the 
Cisco 827 ADSL router. In DSL, an ATM VC must be configured to communicate with the 
service provider. 


Configure the DSL ATM Interface 


Router (config-if)#pve 1/32 


* Create an ATM PVC for the router. 
NOTE: the PVC VPI/VCI must match the provider. 


Router (config-atm-vc) #encapsulation aal5mux ppp dialer 


* Use the encapsulation command to identify the 
layer 2 encapsulation. 


Router (config-atm-vc) #dialer pool-member 1 
° Specify a dialer pool-member. 


NOTE: DSL only runs between the CPE and the DSLAM. 


Use the pve interface configuration command with the VPI/VCI to set the VPI/VCI that is used 
by the DSL service provider, as shown in the table here. Settings for the VPI/VCI value on the 
Cisco 827 router must match the DSLAM of the service provider switch configuration. ATM 
uses the VPI/VCI to identify an ATM VC. 


pvc Commands 


Command Description 
vpi Virtual path identifier from service provider 
vei Virtual circuit identifier from service provider 


The encapsulation method must correspond with that configured on the aggregation router. The 
table here shows encapsulation commands. 


Use the dialer pool-member command to specify which dialer interfaces may use the ATM 
physical interface on the Cisco router. 


Encapsulation Commands 


Command Description 


encapsulation aal5mux ppp | Sets the encapsulation for PPPoA, which uses ATM adaptation layer 
dialer 5 (AALS) in the mux mode 


dialer pool-member Links the ATM interface to a dialer interface 
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Configuration of the DSL Dialer Interface 


This topic lists and reviews the commands that are required for configuring the DSL dialer 
interface After the ATM interface has been configured, the dialer interface must be configured. 
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Configuring the DSL Dialer Interface 
OO... el 


! 


interface ATM O 
no ip address 


pvc 8/35 
encapsulation aal5Smux ppp dialer 
dialer pool-member 1 


interface dialero 
ip address negotiated 
encapsulation ppp 


dialer pool l 
no cdp enable 
Ppp chap hostname cisco 
Ppp chap password cisco 
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Use the commands in the table for DSL dialer configuration. 


Dialer Commands for DSL 


Command 


ip address negotiated 


Description 


Enables a dynamic address from the service provider aggregation router 
using IPCP. With IPCP, DSL routers automatically negotiate a globally 
unique (registered or public) IP address for the dialer interface from the 
aggregation router of the service provider. 


encapsulation ppp 


Specifies PPP encapsulation for the dialer interface. 


dialer pool 1 number 


Specifies to which pool the dialer interface is assigned. Links the dialer 
interface to the ATM interface. 


no cdp enable 


Stops CDP advertisements from going out the dialer interface. 


ppp chap hostname 


Specifies the hostname for CHAP authentication. 


ppp chap password 


Specifies the password for CHAP authentication. 
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Configuration of PAT 


This topic describes how to configure address translations using PAT. 


Router (config) #ip nat inside source list 101 interface 
Dialer0 overload 


* Enable dynamic translation of addresses using the 
assigned IP address of the Dialer0 interface. 


Router (config) #access-list 101 permit ip 10.0.0.0 
0.255.255.255 any 


* Specify the addresses that may be translated. 


¢ Establish the Ethernet interface as inside and the 
Dialer interface as outside. 


NAT overload, commonly referred to as PAT, and PPP/IPCP are popular techniques that are 
used to scale limited addresses. Using NAT overload means that you can use one registered IP 
address for the interface to access the Internet from all devices in the network. 
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PAT Configuration Example 
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This topic describes an example for configuring PAT. 


PAT Configuration Example 
i SE ON S| 


! 

interface Ethernet0d 

ip address 10.0.0.1 255.0.0.0 

ip nat inside 

! 

interface Dialserd 

ip address negotiated 

ip nat outside 

encapsulation ppp 

dialer pool 1 

no crop enable 

pep chap hostname cisco 

ppp chap password 7 151102170725 

! 

ip nat inside source list 101 interface Dialer? overload 
access-list 101 parmi+t ip 10.0.0.0 0,255,255.255 any 


The figure illustrates a sample PAT configuration on the Cisco 827 router. 
The access list will match any source address in the 10.0.0.0 network. 


In this example, the Dialer0 interface is the outside interface and the Ethernet0 interface is the 
inside interface. 


The 10.x.x.x source addresses will be translated using PAT to the Dialer0 IP address. The 
Dialer0 interface receives its IP address from the service provider aggregation router using 
IPCP. 
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DHCP to Scale DSL 


This topic describes how to scale DSL with DHCP. 


Using DHCP to Scale DSL 


Router (config)#ip dhcp pool [pool name] 


* Enable a DHCP pool for use by hosts 


° Specify the network and subnet mask of the pool 


Router (dhcp-config) #default-router [host address] 


° Specify the default router for the pool to use 


The Cisco IOS DHCP Server feature is a full DHCP server implementation that assigns and 
manages IP addresses from specified address pools within the router. After a DHCP client has 
booted, the client begins sending packets to the default router. The IP address of the default 
router should be on the same subnet as the client. 


The Cisco IOS DHCP Server was enhanced to allow configuration information to be updated 
automatically. Network administrators can configure one or more centralized DHCP servers to 
update specific DHCP options within the DHCP pools. The remote servers can request, or 
“import” these option parameters from the central servers. 
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Configuration of a Static Default Route 


This topic describes how to configure a static default route. 


Configuring a Static Default Route 


Router (config)#ip route 0.0.0.0 0.0.0.0 dialerd 


¢ The CPE can use a static default route to reach all 
remote destinations 
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Configuring a static default route on the Cisco 827 router allows the router to reach all 
unknown destinations toward the dialer interface. In most DSL installations, the CPE will not 
be running a dynamic routing protocol to the aggregation router of the service provider. 
Therefore, a static default route is required on the Cisco 827 router. 


When the PPP session has been established between the Cisco 827 router and the aggregation 
router of the service provider, the dialer interface IP address is assigned from the aggregation 
router of the service provider via IPCP. The aggregation router of the service provider will 
automatically build a host route to reach the Cisco 827 router dialer interface. 
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PPPoA Sample Configuration 


This topic describes an example of a PPPoA configuration. 


PPPoA Sample Configuration 
| a | 


hostnartc delrovtcr 
' 


ap dhcp pool teaml 
networ’ 10.0.0.0 255.0.0.0 
default-router 10.9.0.1 

' 

del opersatine—-msda auste 


t 
Tetertace AT /O 


nc ip addcons 

pye 1/32 
encapsulaticn aalibmux ppp dialer 
dialer poocl-member 1 

' 

interface Ethernet.C 

ip acticess 19.0.0.1 255.0.9.0 

ip fal ianeide 


anterface Gialect 

aP aGdress negotiated 

im nat outside 

euGaepsulalicn ppp 

Graler pool l 

ip mat outside 

Pep chap dsetnsre cisos 

PEP chap paxawnsd 7 idenconacniA 
' 


Ip nat inaide source tiat 101 
anrerface Dialer) owerlaad 

accesée~Last 101 pacmat ap 10.9,0.9 
0.285.255.0255 anv 


ap reste 6.9.0.0 0.9.0.0 Domlerd 
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The sample shows an example of the commands that are used for configuring PPPoA. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
850m 


* Configuring DSL requires global and interface 
configuration commands. 


¢ In DSL, an ATM VCI/VPI pair must be configured to 
communicate with the service provider. 


* Once the ATM interface is configured, the dialer 
interface must be configured. 


¢ The Cisco 827 router performs PAT and serves as 
a DHCP server for the end-user PCs. 


° A static default routes is configured on the Cisco 
827 router. 
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Quiz 
Use the practice items here to review what you have learned in this lesson. The correct answers 


follow in the Quiz Answer Key. 


Ql) When configuring DSL on a Cisco router, where does the information for the correct 
VCI/VPI come from? 


A) the DSL service provider 
B) the DSL modem manufacturer 
C) the local electronics retail store 
D) can be any number that is locally assigned by the customer 
Q2) Which Cisco router command is used to permit the DSL router to determine 
modulation automatically? 
A) dsl modulation auto 
B) dsl operating-mode auto 
B) dsl hub-type auto 
C) dsl dmt-type auto 
Q3) Which ATM interface configuration command is used to set the encapsulation method 
to PPPoA? 
A) encapsulation aal5mux ppp dialer 
B) encapsulation ppp 
C) encapsulation pppoa 
D) encapsulation aal5 dialer pool-member 1 
Q4) — Which dialer interface configuration command is used to stop CDP advertisements on a 
Cisco router? 
A) no cdp run 
B) no cdp enable 
C) no cdp adv 
D) cdp disable 
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Quiz Answer Key 
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Ql) A 
Relates to: 
Q2) B 
Relates to: 
Q3) A 
Relates to: 
Q4) iB 
Relates to: 


Configuration of a PPPoA DSL Connection 


DSL Modulation Configuration 


Configuration of the DSL ATM Interface 


Configuration of the DSL Dialer Interface 


Building Cisco Remote Access Networks (BCRAN) v2.1 


Copyright # 2004, Cisco Systems, Inc. 


Troubleshooting DSL 


Overview 


The lesson presents some common reasons why the ADSL connection might fail to be 
established and describes how to repair the connection if it fails. 


Relevance 


This lesson provides an overview of troubleshooting methods for Layer 1 and Layer 2. 


Objectives 
Upon completing this lesson, you will be able to: 
m= List the tasks required to troubleshoot Layer | (physical) issues 


m= List the tasks required to troubleshoot Layer 2 (data link) issues 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m= All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 


Overview 

Layer Troubleshooting 

Layer | Issues 

Administratively Down State for an ATM Interface 
Correct Power Supply 

Correct DSL Operating Mode 

Layer 2 Issues 

Data Received from the ISP 

Proper PPP Negotiation 

Summary 


Quiz 
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Layer Troubleshooting 


This topic describes the first troubleshooting step, determining which layer of the ADSL 
service is failing. There could be many reasons why the DSL connection might not be 
functioning properly. 


Determining the Layer to Troubleshoot 
ee I | 


827-1#show del int atm 0 


ATU-R (DS) ATU:C (US} 
Modem Status: Showtime (OMTOSL_SHOWTIME) 
DSL Mode: ITU G.992.1 (G.DMT) 
Tu STD NUM: Ox01 Ox1 
Vendor ID: “ALCB’ GSPN 
Vendor Specific: 0x0000 Ox0002 
Vendor Country: 0x00 x00 


Capacity Used: 97% 100% 
Noise Margin: 5.0 dB 6.0 dB 
Output Power: 9.6 dBm 12.0 den 
<output omitted> 

interleave titerleave 
Speed (kbps): 7616 338 
<output amitted> 


¢ Showtime will appear after the DSL modem has trained. 
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Failure can occur at Layer 1, Layer 2, or Layer 3. This topic focuses on Layer | and Layer 2. 


To troubleshoot Layer 1 problems, you can use the show dsl interface atm 0 command to 
verify that the Cisco 827 router is trained to the DSLAM. If the router is successfully trained to 
the DSLAM, this command will also display the trained upstream and downstream speed in 
kbps. 


If training is successful, the problem could be a Layer 2 problem. 
If training is not successful, as shown in the following sample output, you must continue 
troubleshooting to isolate the Layer 1 problem. 


827-1# sh dsl int atm 0 


Line not activated: displaying cached data from last 
activation 


Log file of training sequence: 


<output omitted> 
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Layer 1 Issues 


This topic describes the steps that are used to determine whether Layer | is the cause of the 
problem. 


Layer 1 Issues 


¢ Is the Carrier Detect (CD) light on the front panel of the 
Cisco 827 on or off? 


— If the CD light is on, go to the Layer 2 Issues section of this 
document. 


— If the CD light is off, continue with the next question. 


¢ Is your service provider using a DSLAM that supports the 
Alcatel DSL chipset? Does the modulation match with what the 
DSLAM is using? 


— Verify this information with your service provider. 


¢ Is the DSL (ATM) port on the back of the Cisco 827 plugged into 
the wall jack? 


— If the DSL (ATM) port is not plugged into the wall jack, 
connect the port to the wall with a 4-pin or 6-pin RJ-11cable. 
This is a standard telephone cable. 


If the ATM 0 interface status is down and down, the router is not seeing a carrier on the ADSL 
line. To determine the ATM 0 interface status, issue the show interface atm 0 command from 
enable mode of the router: 


Router# show interface atm 0 


ATMO is down, line protocol is down 


This message generally indicates one of two issues: 


1. The active pins on the DSL wall jack may be incorrect. 


2. The service provider may not be providing DSL service on this wall jack. 


Determine whether the cable pinout is correct. 
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Cisco 827 Router xDSL Port Pinouts 


Pin Description 
3 XDSL_Tip 
4 XDSL_Ring 


The RJ-11 connector provides an xDSL connection to external media via a standard RJ-11 
6-pin modular jack. If the ATM interface is down and down, not just administratively down, 
check the pinout of the DSL wall jack. The Cisco 827 router uses a standard RJ-11 cable to 
provide the ADSL connection to the wall jack. The center pair of pins on the RJ-11 cable is 
used to carry the ADSL signal (pins 3 and 4 on a 6-pin cable, or pins 2 and 3 on a 4-pin cable). 


If the correct pins on the wall jack are being used, and the ATM 0 interface is still down and 
down, replace the RJ-11 cable between the DSL port and the wall jack. 


If the interface is still down and down after you have replaced the RJ-11 cable, contact the 


service provider to verify that ADSL service has been enabled on the wall jack that is being 
used. 
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Administratively Down State for an ATM Interface 


This topic describes troubleshooting situations where the interface is down because of an 
administrative action. 


Is the ATM Interface in an Administratively 


Down State? 
Ea er | 


Routertahcw interlace 
atm 0 ATMO 15 administratively down, Laine protocol is down 
<...Qutput.omitted ...> 


If the ATMO interface status is administratively down, issue the 
no shetdown command under the ATMO interface. 


Routertoontig t 

Enter configuration commands, one per line. znd with CNTL/Z. 
Router (config) lianterface atm 0 

Router (config-if)#no shut 

Router (config-i7) #end 

Routerctoopy run start 


BCRAN v2.14-4 


To determine if the ATM 0 interface is administratively down, issue the commands shown in 
the figure in enabled mode. 
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Correct Power Supply 


This topic discusses checking for the correct power supply. 


Is the Correct Power Supply geal: Used? 


* To determine the correct power supply, on the 
back of the power adapter look for: 


— Output +12V 0.1A, -12V 0.1A, +5V 3A, -24V 0.12A, and -71V 0.12A. 


° If the power supply is missing the +12V and -12V 
feeds, then it is for a different Cisco 800 series 
router and will not work on the 827. 


* Note that if using the wrong power supply, the 
Cisco 827 will power up but will be unable to train 
up (connect) to the ISP DSLAM. 


If the DSL cable is good and the proper pinouts are being used, the next step is to make sure 
that the correct power supply for the Cisco 827 router is being used. 


Note The Cisco 827 router does not use the same power supply as other Cisco 800 Series 
routers. 
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Correct DSL Operating Mode 


This topic describes determining whether the DSL operating mode is correct. 


Is the DSL Operating Mode Correct? 


* The command to configure operating-mode 
auto-detection is as follows: 


Router#econfig t 
Enter configuration commands, one per line, End 
with CNTL/Z. 


Router (config) #interface atm 0 
Router (config-if)#dsl operating-mode auto 
Router (config-if) tend 


Router#copy run start 


° The default operating mode for DSL is AUTO 


If everything that was checked up to this point in the Layer 1 troubleshooting procedure is 
correct, the next step is to make sure that the correct DSL operating mode is being used. 


Cisco Systems recommends using the default dsl operating-mode auto command when the 
DSL modulation being used by the service provider is unknown. 
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Layer 2 Issues 


This topic discusses Layer 2 troubleshooting issues. 


Layer 2 Issues 


B27#debug atm events 


2d1l6h: Data Cell received on vpi 
32 PPPoA MUX 


2di6h: Data Cell received on vpi 
32 PPPoA MUX 

2da16h: Data Cell received on vpi 
32 PPPoA MUX 


* The debug atm events command shows the VPI/VCI 
values that the DSLAM expects. 


Complete the following steps to determine whether the correct VPI/VCI values are configured 
on the router. 


Use the debug atm events command on the Cisco 827 router, and then go to a working Internet 
connection and begin to ping the static IP address assigned by your ISP. It is important that the 
ATM interface is up and up and that the IP address provided by the ISP is being pinged. 
Contact the ISP for support if the ping test is not successful. 


Verify the VPI/VCI values, and then make the necessary changes to the configuration. If there 
is no output during 60 seconds of debugging, contact the ISP. 


Note Use the Router# undebug all command to turn off the debug events. 
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Data Received from the ISP 


4-122 


This topic describes determining whether data is being received from the ISP. 


Is Data Being Received from the ISP? 
ee eee Se: SOO RET 


Routerfishow int atmo 


ATMO se wp, iine peratecel 14 wp 
Hacdwarc is DSLSAR (with Alcatel ADSL Module) 


MTU 4470 bytes, sub MTU 4470, BW 128 Ebit, DLT 16000 uses, reliability 
255/255, txulond 1/255, rxload 1/255 


Encarsulation AT, loopback not set 
Eacapsuliation{s): AALS, PVC mode 

24 masimum active VCs, 256 Vee per VP, 1 current Co 
VC idle disconnect time: 300 seconds 


Last soput 00:00:00, output 00:00:00, output bang never 
Last clearing of "show interface” counters nerer 
Queueing strategy: fifo 


Cutput qucuc 0/49, BO drops: anput queue 0/75, U drops 
S minute input rate 5 bits/sec, 0 packets/sec 


S minute outsut rate 7 bita/xec, 0 packeta/ anc 

150 packets input, 56800 bytes, 0 no buffer 
Received 0 Srsadcasts, 9 runts, 0 qiants, 6 throttles 
250 packets sutput, 1490 bytes, 0 undecruns 
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If the correct VPI/VCI values are being used, the next step is to verify that data is being sent 
and received on the ATM interface. Issue the show int atm0 command and check the input and 
output packet. 


If the packet counters are incrementing in both directions, the router should be sending and 
receiving packets from the ISP. 


If packets are incrementing in both directions, continue with the troubleshooting steps in this 
lesson. 
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Proper PPP Negotiation 


This topic describes determining whether PPP is negotiating successfully. 


Is PPP Negotiating suecessae 


Souler#debug pop negotiation 
Por pectesel owegotieticon dubuweyianyg ay on 
Revutere 2wid:s Vil Per: Mo remete antheartication for oall-vst. 


2wad. Val PPP. Phase is ESTABLISHING 
2wii: Vil LEP: © COMFREQ [Ope:] id 146 lem 19 


Qw3d:s Vil LO>: Macictumher CxfOCFOERIE (Ou SC 6accriete) ov3d: vil I>: Oo 
COMPACK [Open) ad 102 Len 15 
2w3d: Wal LCP: Auth?rovo CHAP (Ox0295CE2I05) 
2wed Vil LO Mogichumiber OnDSdS ADI (0x0 SO SDS6SRDOAN) 
2wSc: Dal ICE: Resove scoute to 20.20.2.1 
2wkt L TGP: T OGNFACK [Acxeeant] ic 146 Len 10 
2 LCP. Macictumoer UxtCCFUELE (UxUS¢ 69CCFlELs) 
Lo?. State ie Open 
PP?. Phase is AUTHENTICATING, by che peur 
CBAF: I CHALLENSE id 79 Lor 33 from ‘4(0-2-HRP-2" 
1 CHAP: G RRESPONSR id 79 Lan 2f from “JIehn" 
CHAP: L SUcCESS acd 79 Len 4 
PES: Phase is UP 
. Omb tbed. > 
IBCE: State is Open 
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There are four main points of failure in a PPP negotiation: 


1. No response from the remote device (ISP) 
2. LCP not open 
3. PAP or CHAP authentication failure 


4. IPCP failure 


If Layer 1 is up and if the correct VPI/VCI is being used, the next step is to make sure that PPP 
is coming up properly. Run a series of debug commands on the Cisco 827 router and interpret 
the output. The primary debug command to use is the debug ppp negotiation command. The 
output shown in the figure is an example of a successful PPP negotiation. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
————— eee Se ALAS | 


¢ First step in troubleshooting is to determine the Layer to 
troubleshoot. 


¢ For layer 1 
— Is the ATM interface in an administratively down state? 
— Is the correct power supply being used? 
— Is the DSL operating mode correct? 


¢ Layer 2 Issues 


— Are data being received from the ISP? 

— Are PPP negotiating successful? 

— Are the PAP username and password correct? 

— Are the CHAP username and password correct? 
¢ Knowledge of troubleshooting show commands 
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Next Steps 
For the associated lab exercise, refer to the following section of the course Lab Guide: 


m Lab Exercise 4-1: E-Lab: Simulation for Configuring a Cisco 827 Router for NAT with 
PPPoA 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


Q6) 


If the CD LED on the front panel of the Cisco 827 router is off, at which layer should 
you being troubleshooting? 


A) Layer | 
B) Layer 2 
C) Layer 3 
D) Layer 4 


The Cisco 827 router uses which type of standard cable? 


A) crossover 

B) RJ-45 

C) RJ-11 (4-pin or 6-pin) 
D) RJ-31x 


Routers in the Cisco 800 Series all use the same power supply. 

A) true 

B) false 

When configuring operating mode autodetection, the router should be in which mode? 
A) # 

B) (config)# 

C) configure terminal 

D) (config-if)}# 

Which command is used to determine the VPI/VCI that the DSLAM expects? 
A) show interface 

B) debug atm events 


C) show vlan 

Use the show int atm0 command to check which type of packets? 
A) input and output 

B) input only 

C) output only 
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Quiz Answer Key 
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Ql) 


Q3) 


Q4) 


Q5) 


Q6) 


A 


Relates to: 


Cc 


Relates to: 


B 


Relates to: 


D 


Relates to: 


B 


Relates to: 


A 


Relates to: 


Layer 1 Issues 


Layer 1 Issues 


Correct Power Supply 


Correct DSL Operating Mode 


Layer 2 Issues 


Data Received from the ISP 
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Module 5 | 


Virtual Private Networks 


Overview 


This module is an introduction to Virtual Private Network (VPN) concepts, processes, and 
procedures that are available on Cisco IOS software-based router products. 


The lessons in this module focus primarily on IPSec encryption and Internet Key Exchange 
(IKE), although there is mention of other tunneling protocols and VPN alternatives. Procedures 
and labs focus on router-based tasks. Other products such as the Cisco PIX Firewall, VPN 
concentrator, and Unity VPN client are briefly mentioned. 


Objectives 


Upon completing this module, you will be able to: 


m™ Describe the fundamental concepts of VPNs and tunneling, and define commonly used 
VPN terms 


m= Describe the fundamental concepts and operations used in Cisco IOS cryptosystems for 
encryption, authentication, and key management 


m= Identify the main IPSec technologies and the major tasks necessary to configure IPSec on 
Cisco routers 


m Verify proper IPSec and IKE configuration with available Cisco IOS commands 


Outline 


The module contains these lessons: 

m Identifying VPN Features 

m= Identifying Cisco IOS Cryptosystem Features 
m Identifying [IPSec Technologies 

m Task 1: Preparing for IKE and IPSec 

m Task 2: Configuring IKE 

m Task 3: Configuring IPSec 

m Task 4: Testing and Verifying IPSec 
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Identifying VPN Features 


Overview 


Virtual Private Networks (VPNs) provide the same secure site-to-site network connectivity for 
remote users over the Internet as they would over a secure private network. Enabling this 
secure connectivity requires policies and technologies for VPN cryptographic services to 
support user authentication, data integrity, and encryption. This lesson provides a high-level, 
conceptual overview of VPN alternatives, elements, and terms. 


Relevance 


This lesson helps the learner identify the various VPN alternatives, the network connectivity 
supported by each, and the main terminology used. The lesson offers the learner a knowledge 
baseline to use for understanding VPN and to set a foundation for more in-depth learning after 
this lesson. 


Objectives 


Upon completing this lesson, you will be able to: 

m™ Define a VPN and describe its advantages over alternative WAN access technologies 

m™ Describe the functions performed by encryption and network tunnels 

m Describe the scenarios for using VPNs for remote access and site-to-site network traffic 
m= Identify the main components, or attributes, of VPN implementations 


m Select the best VPN technology for providing network connectivity for VPN design 
scenarios 


m= Match key VPN terms with their definition or descriptions 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Jnterconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 


Building Cisco Remote Access Networks (BCRAN) v2.1 


Overview 

VPN Features and Advantages 
Tunneling and Encryption 
VPN Usage Scenarios 

VPN Technologies 

VPN Protocols 

VPN and IPSec Terms 


Summary 


Quiz 


Copyright # 2004, Cisco Systems, Inc. 


VPN Features and Advantages 


This topic describes the basic functions and advantages of VPNs. 


Virtual Private Networks 


Internet 


A VPN carries private traffic over a public network using 
advanced encryption and tunnels to protect: 


¢ Confidentiality of information 
¢ Integrity of data 
¢ Authentication of users 
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A VPN is defined as network connectivity deployed on a shared infrastructure with the same 
policies and security as a private network. 


A VPN is established between two end systems, or between two or more networks. A VPN can 
be built using tunnels, encryption, or both, at essentially any layer of the OSI protocol stack. A 
VPN is an alternative WAN infrastructure that replaces or augments existing private networks 
that use leased-line or enterprise-owned Frame Relay ATM networks. 


VPNs provide three critical functions: 


= Confidentiality (encryption): The sender can encrypt the packets before transmitting them 
across a network, thereby prohibiting anyone from eavesdropping on the communication. If 
intercepted, the communication cannot be read. 


= Data integrity: The receiver can verify that the data was transmitted through the Internet 
without being changed or altered in any way. 


= Origin authentication: The receiver can authenticate the source of the packet, 
guaranteeing and certifying the source of the information. 
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Why Have VPNs? 


Conventional 


Frorve Petey 
Services 


Branch Office Branch Offeo 


Higher cost Lower cost 

Less flexible More flexible 

WAN management Simpler management 
Complex topologies Tunnel topology 
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VPNs offer many advantages over traditional, leased-line networks. The primary benefits 
include the following: 


= Lower cost than private networks: Total cost of ownership is reduced through lower-cost 
transport bandwidth, backbone equipment, and operations. Costs of LAN-to-LAN 
connectivity are typically reduced by 20 to 40 percent over domestic leased-line networks; 
cost reduction for remote access is in the range of 60 to 80 percent. 


= Flexibility for enabling the Internet economy: VPNs are inherently more flexible and 
scalable network architectures than classic WANs, thereby enabling enterprises to quickly 
and cost-effectively extend connectivity. In this way, VPNs can facilitate connection or 
disconnection of remote offices, international locations, telecommuters, roaming mobile 
users, and external business partners as business requirements demand. 


= Simplified management burdens: Enterprises may outsource some or all of their WAN 
functions to a service provider, enabling the enterprises to focus on core business objectives 
instead of managing a WAN or dial-access network. 


= Tunneled network topologies, thus reducing management burdens: Using an IP 
backbone eliminates static permanent virtual circuits (PVCs) associated with connection- 
oriented protocols such as Frame Relay and ATM, thereby creating a fully-meshed network 
topology while actually decreasing network complexity and cost. 


5-6 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright #: 2004, Cisco Systems, Inc. 


Virtual Private Networking 


e Virtual Network Tunneling 


S&S Cin & 


° Private Network Encryption 


Encrypted 


« Virtual Private Network = Tunneling + Encryption 
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VPNs provide the greatest benefits of a private network, that is, privacy and the use of multiple 
protocols. VPNs enable these benefits over the larger shared IP infrastructure of the Internet. 


A virtual network is created through the ability to tunnel multiple protocols over a standard IP 
connection. Generic routing encapsulation (GRE) and Layer 2 Tunneling Protocol (L2TP) are 
two methods of tunneling. Both tunneling methods are configurable on Cisco routers. A third 

method, IPSec, is also configurable on Cisco routers and is the key focus of this VPN module. 


A private network is one that ensures Confidentiality, Integrity, and Authentication (CIA). 


Encrypting traffic and using the IPSec protocol enables traffic to traverse the shared public 
infrastructure with the same CIA as with a private network. 
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Tunneling and Encryption 


VPNs allow the creation of private networks across the Internet, enabling tunneling or 
encryption of TCP/IP (and non-TCP/IP) protocols. This topic describes tunneling and 
encryption. 


VPN Tunnels and Encryption 


aS = @ 


Transform Transform 


J 
» (ee 


Ciphertext 


4 
i — 


A tunnel is a virtual point-to-point connection. 


The tunnel carries one protocol inside another protocol. 
Encryption transforms content information into ciphertext. 
Decryption restores content information from ciphertext. 
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The Internet has created new opportunities for companies to streamline business processes, 
enter new markets, and work with partners and customers more effectively. At the same time, it 
has also created a greater reliance on networks and a need to protect against a wide range of 
security threats. The main function that a VPN offers for this protection is encryption through a 
tunnel. 


Tunnels provide logical, point-to-point connections across a connectionless IP network, 
enabling application of advanced security features. Tunnels for VPN solutions employ 
encryption to protect data from being viewed by unauthorized entities and to perform 
multiprotocol encapsulation, if necessary. Encryption is applied to the tunneled connection to 
scramble data, thus making data legible to authorized senders and receivers only. 


Encryption ensures that messages cannot be read by anyone but the intended recipient. As more 
information travels over public networks, the need for encrypting the information becomes 
more important. Encryption transforms content information into a ciphertext that is meaningless 
in its encrypted form. The decryption function restores the ciphertext back into content 
information intended for the recipient. 
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VPN Usage Scenarios 


The topic describes the variety of options for deploying VPNs with modern networking devices 
and ecosystems. This topic also shows how VPN encryption and tunnels are used. 


Use VPNs with a Variety of Devices 
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Networked VPN tunnels can carry encrypted data in four topologies: 
= From router to router: This is the focus of the BCRAN labs. 
= From one router to many other routers: Each tunnel is a point-to-point connection. 


= From PC to router or VPN concentrator: This option enables the mobility of network 
transactions. 


= Router to firewall and PC to firewall: The firewall monitors traffic that crosses network 
perimeters and imposes restrictions according to security policy. 


The proliferation of the networked economy supported by these and other network devices has 
spawned a fundamental change in how corporations conduct business. Corporate staff is no 
longer defined by where they do their jobs as much as how well they perform their job 
functions. Virtual Private Networking can be done from anywhere using routers, firewalls, or 
dedicated VPN concentrators. 


Competitive pressures in many industries have spawned alliances and partnerships among 
enterprises, requiring separate corporations to act and function as one when facing customers. 


Although such developments have increased productivity and profitability for many 
corporations, they have also created new demands on the corporate network. Connectivity that 
is focused solely on connecting fixed corporate sites—such as branch and regional offices 
connected to the headquarters campus—is no longer sufficient connectivity for many 
enterprises. In addition to these standard network connections, connectivity must focus on 
business-to-business and business-to-customer connections within an expanding ecosystem. 
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Cisco VPN Solution Ecosystem 
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VPNs help remote users, such as telecommuters and external business partners, to access 
enterprise computing resources. This access may use several service provider networks 
accessing and traversing the Internet. 


There may be firewalls operating that help to separate the internal network of an enterprise 
from its extended external network and the Internet at large. The enterprise may offer a variety 
of web services and network applications, including those that use Domain Name System 
(DNS) and Simple Mail Transfer Protocol (SMTP). 


The classic WAN must be extended to accommodate these new remote users. Consequently, 
many enterprises are using VPNs that help to complement their existing classic WAN 
infrastructure. 


VPN solutions are organized into two main types: 


= Remote-access VPNs: Securely connect remote users, such as mobile users and 
telecommuters, to the enterprise 


m= Site-to-Site VPNs: Securely connect remote and branch offices to the enterprise (intranet 
VPNs), and connect third parties, such as customers, suppliers, and business partners, to the 
enterprise (extranet VPNs). 
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VPN—Types 
eee CISCO.COM 


* Remote-access 
—Client-initiated 
—Network access server 

° Site-to-site 
—Intranet 
— Extranet 


There are two types of remote-access VPNs: 


= Client-initiated: Remote users use clients to establish a secure tunnel across an ISP shared 
network to the enterprise. 


m= Network access server (NAS)-initiated: Remote users dial in to an Internet service 
provider (ISP). The NAS establishes a secure tunnel to the enterprise private network that 
might support multiple remote user-initiated sessions. 

Site-to-site VPNs include two main types: 


= Intranet VPNs: Connect corporate headquarters, remote offices, and branch offices over a 
public infrastructure. 


m= Extranet VPNs: Link customers, suppliers, partners, or communities of interest to a 
corporate intranet over a public infrastructure. 


A more detailed description of the scenarios for these various VPN types will illustrate 
solutions and benefits. 
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Remote-Access VPN Solutions 


Remote-Access clients 


Extranet 
Consumer to business 


¢ VPN replacing toll and toll - free dial connectivity 
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Remote-access VPN solutions are targeted to mobile users and home telecommuters. In the 
past, corporations supported remote users via dial-in networks, typically requiring a toll or toll- 
free call to access the corporation. Remote-access VPNs are an extension of dial networks. 


With the advent of VPNs, mobile users can make a local call to their ISP to access the 
corporation via the Internet, regardless of their location. 


Remote-access VPNs can terminate on headend devices such as Cisco routers, PIX Firewalls, 
or VPN concentrators. Remote-access clients can include Cisco routers and VPN clients. 
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Site-to-Site VPN Solutions 


Remote sites 


¢ Extension of classic WAN 
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VPN site-to-site solutions can be used to connect corporate sites. In the past, a leased line or 
Frame Relay connection was required to connect sites. Today, most corporations have Internet 
access. 


With Internet access, leased lines and Frame Relay lines can be replaced with site-to-site VPN 
to provide the network connection. VPN can support company intranets and business partner or 
customer extranets. 


Site-to-site VPN is an extension of the classic WAN network. Site-to-site VPNs can be built 
using Cisco routers, PIX Firewalls, and VPN concentrators. 
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VPN Technologies 


This topic describes the main VPN technologies that are available and compares them to the 
various Open System Interconnection (OSI) layers. The topic then focuses on the preferred 
layer for selecting a VPN technology and the preferred choices at that layer. 


Encryption at Several Layers 


SSH 
S/MIME Application Layer 


Application 
Layers (5-7) 


SSL s Transport Layer 


Transport Network Layer 
Network 
Layers (3-4) 


Link/Physical 
Layers (1-2) 


Encryption 


Various methods for VPN protection are implemented on different layers. Providing privacy 
and other cryptographic services at the application layer was very popular in the past, and in 
some situations is still done today. For example, Secure Shell Protocol (SSH) offers Internet- 
based data security technologies and solutions, especially cryptography and authentication 
products. 


The Internet Engineering Task Force (IETF) has a standards-based protocol called Secure 
Multipurpose Internet Mail Extensions (S/MIME) for VPN applications generated by a number 
of communication system components (for example, message transfer agents, guards, and 
gateways). 


However, application-layer security is application-specific and protection methods must be 
implemented anew in every application. 


Some standardization has been successful at layer four (transport) of the OSI model, with 
protocols such as Secure Socket Layer (SSL) providing privacy, authenticity, and integrity to 
TCP-based applications. SSL is popular in modern e-commerce sites, but fails to address the 
issues of flexibility, ease of implementation, and application independence. 


Protection at lower levels of the OSI stack, especially the data-link layer, was also used in 
communication systems of the past, as it provided protocol-independent protection on specific 
untrusted links. However, data-link layer protection is expensive to deploy on a large scale 
(protecting every link separately), therefore allowing a “man-in-the-middle” attack (hijacking a 
network session) on intermediate stations (routers). 


Because of the limitations discussed, layer three has become the most popular level on which to 
apply cryptographic protection to network traffic. 
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Tunneling Protocols 


Application 
Layers (5-7) 
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Link/Physical 
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With implementation of encryption on Layer 1, this layer and all layers above it are 
automatically protected. Network-layer protection offers one of the most flexible solutions, as it 
is media-independent and application-independent at the same time. 


Copyright © 2004, Cisco Systems, Inc. Virtual Private Networks 5-15 


VPN Protocols 


L2TP 


This topic describes a variety of network-layer technologies that are available to enable 
tunneling of protocols through networks to create a VPN. The main focus of this topic is on 
three of these technologies: Layer 2 Tunneling Protocol (L2TP), Cisco generic routing 
encapsulation (GRE), and the IPSec. 


VPN Protocols 


Description Standard 
Layer 2 Tunneling Protocol RFC 2661 


Generic Routing Encapsulation | RFC 1701 and 278 


IPSec Internet Protocol Security | wrcom | 
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The figure describes three VPN tunneling protocols: L2TP, GRE, and IPSec. 


Prior to the L2TP standard (August 1999), Cisco used Layer 2 Forwarding (L2F) as its 
proprietary tunneling protocol. L2TP is 100 percent backward-compatible with L2F. L2F is not 
forward-compatible with L2TP. 


L2TP, defined in RFC 2661, is a combination of Cisco L2F and Microsoft Point-to-Point 
Tunneling Protocol (PPTP). Microsoft supports PPTP in its earlier versions of Windows, and 
PPTP and L2TP in Windows NT and 2000. 


L2TP is used to create a media-independent, multiprotocol virtual private dialup network 
(VPDN). L2TP allows users to invoke corporate security policies across any VPN or VPDN 


link as an extension of their internal networks. 


L2TP does not provide encryption and can be monitored with a protocol analyzer. 
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GRE 


IPSec 


This multiprotocol transport encapsulates IP, Connectionless Network Protocol (CLNP), and 
any other protocol packets inside IP tunnels. 


With GRE tunneling, a Cisco router at each site encapsulates protocol-specific packets in an IP 
header, creating a virtual point-to-point link to Cisco routers at other ends of an IP cloud where 
the IP header is stripped off. 


By connecting multiprotocol subnetworks in a single-protocol backbone environment, IP 
tunneling allows network expansion across a single-protocol backbone environment. GRE 
tunneling allows desktop protocols to take advantage of the enhanced route selection 
capabilities of IP. 


GRE does not provide encryption and can be monitored with a protocol analyzer. 


IPSec is the choice for secure corporate VPNs. IPSec is a framework of open standards that 
provides data confidentiality, data integrity, and data authentication between participating 
peers. 


IPSec provides these security services using Internet Key Exchange (IKE) to handle negotiation 
of protocols and algorithms based on local policy and to generate the encryption and 
authentication keys to be used by IPSec. 
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Selecting a VPN Technology 


Depending on your traffic needs, select the best VPN technology to provide network 
connectivity. 


The flow chart shows a process for selecting a network-layer VPN tunneling option that is 
based on your VPN design scenarios. 


Selecting Layer 3 VPN Tunnel Options 


IPSec is the main option that is featured in this topic for securing enterprise VPNs. 
Unfortunately, IPSec supports IP unicast traffic only. If IP unicast packets are being tunneled, 
then a single encapsulation provided by IPSec is sufficient and much less complicated to 
configure and troubleshoot. 


For multiprotocol or IP multicast tunneling, you must use GRE or L2TP. 


For network traffic that uses Microsoft networking, L2TP may be the best choice. Because of 
its ties to PPP, L2TP may also be suited for remote-access VPNs that require multiprotocol 
support. 


GRE is best suited for site-to-site VPNs that require multiprotocol support. It is typically used 
to tunnel multicast packets such as routing protocols. GRE encapsulates all traffic, regardless of 
its source and destination. 


Neither L2TP nor GRE tunneling protocols support data encryption or packet integrity. For 
these valuable functions, you must combine the protocol or protocols with IPSec. You can use 
IPSec in combination with L2TP or GRE protocols to provide IPSec encryption, such as 
L2TP/IPSec or GRE/IPSec. 
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VPN and IPSec Terms 


This topic describes commonly used VPN and IPSec terms that will help you to make the best 
use of VPN and IPSec protocols. 


Identifying Key VPN Terms 


° Tunnel 

° Encryption and decryption 

¢ Cryptosystem 

* Hashing 

¢ Authentication 

* Authorization 

° Key management 

* CA—certification authority service 


These terms define key components and elements that can be commonly used in VPNs: 


Tunnel: A virtual point-to-point connection that is used in a network to carry traffic from 
one protocol (for example, encrypted ciphertext) encapsulated inside another protocol (for 
example, an IP packet). 


Encryption and decryption: Encryption is the process of transforming information 
content—called clear text or plain text—into a hidden form called ciphertext so that it will 
not be readable by unauthorized users. Decryption transforms ciphertext back into clear or 
plain text so that it is accessible for reading by authorized users. 


Cryptosystem: A system to accomplish encryption and decryption, user authentication, 
hashing, and key-exchange processes. A cryptosystem may use one of several different 
methods, depending on the policy intended for various user traffic situations. 


Hashing: A data integrity technology that uses a formula or algorithm to convert a 
variable-length message and shared secret key into a single fixed-length string of digits, or 
hash. The message, key, and hash traverse the network from source to destination. At the 
destination, the recalculated hash is used to verify that the message and key have not 
changed while traversing the network. 


Authentication: The process of identifying a user or process attempting to access a 
computer system or network connection. Authentication ensures that the individual or 
process is who they claim to be. Authentication does not confer associated access rights. 


Authorization: The process of giving authenticated individuals or processes access to a 
computer system or network connection resources. 
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m Key management: A key is information (usually a sequence of random or pseudorandom 
binary digits) that is used initially to set up and then to periodically change the operations 
that are performed in a cryptosystem. Key management is the supervision and control of 
the process whereby keys are generated, stored, protected, transferred, loaded, used, and 
destroyed. 


= Certification authority (CA) service: A third-party service that is trusted to help secure 
the communications between network entities or users by creating and assigning digital 
certificates (for example, public key certificates) for encryption purposes. A CA vouches 
for the binding between the data security items in the certificate. Optionally, a CA creates 
user encryption keys. 
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As the VPN of choice, IPSec uses a number of terms and acronyms, as noted here. 


Identifying Key IPSec VPN Terms 


¢ AH: Authentication Header 
¢ ESP: Encapsulating Security Payload 
¢ IKE: Internet Key Exchange 


ISAKMP: Internet Security Association and Key 
Management Protocol 


e SA: security association 
¢ AAA: authentication, authorization, and accounting 


¢ TACACS+: Terminal Access Controller Access Control 
System Plus 


e RADIUS: Remote Authentication Dial-In User Service 
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These terms define key protocols and elements that are components of IPSec: 


Authentication Header (AH): A security protocol that provides data authentication, data 
integrity, and optional anti-replay services. AH is embedded in the data to be protected (a 
full IP datagram). 


Encapsulating Security Payload (ESP): A security protocol that provides data 
confidentiality, data integrity, protection services, optional data origin authentication, and 
anti-replay services. ESP encapsulates the data to be protected. 


IKE: A hybrid protocol that implements Oakley key exchange and Skeme key exchange 
inside the ISAKMP framework. Oakley and Skeme each define a method to establish an 
authenticated key exchange. This includes payload construction, the information payloads 
carried, the order in which keys are processed, and how the keys are used. 


Internet Security Association and Key Management Protocol ISAKMP): A protocol 
framework that defines payload formats, the mechanics of implementing a key exchange 
protocol, and the negotiation of an SA. 


Security association (SA): A policy and key or keys that are used to protect information. 
The ISAKMP SA is the shared policy and key or keys that are used by the negotiating 
peers in this protocol to protect their communication. 


Authentication, authorization, and accounting (AAA): The network security services 
that provide the primary framework through which you set up access control on your router 
or access server. Two major protocols that support AAA are TACACS+ and RADIUS. 


TACACS+: A security application that provides centralized validation of users attempting 
to gain access to a router or network access server. 


RADIUS: A distributed client-server system that secures networks against unauthorized 
access. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
85cm 


¢ A VPN carries private user traffic over the Internet, 
securing the traffic using encryption and tunneling. 


VPNs take advantage of cost, flexibility, management, 
and topology benefits compared to legacy WAN 
connections. 


Encryption converts clear text into cyphertext; 
cyphertext traverses the VPN tunnel. 


Decryption converts cypher text back into clear text. 


In VPN tunnels, one protocol carries traffic from 
another protocol for a variety of VPN usage scenarios. 


Remote-access VPN types evolve and extend dialup; 
Site-to-site VPN types extend classic WANs. 
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Summary (Cont.) 


VPN solution at the Network Layer 3 are recommended 
compared to application or data-link alternatives. 


L2TP is recommended for Microsoft Networks and traffic 
that can use PPP capabilities. 


GRE is recommended for multi-protocol traffic and for 
non-unicast traffic. 


IPSec, largely due to its encryption facilities is the VPN of 
choice and is recommended for unicast IP traffic. 


Combinations of IPSec with L2TP and GRE allow 
maximum VPN flexibility but can be complex to set up and 
manage. 


Knowing commonly-used VPN and IPSec terms or 
acronyms can help communications and simplify 
additional learning. 
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IETF IPSec home page at http://Awww.ietf.org/html.charters/ipsec-charter. html — 
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Networking and Telecom definitions at http://Awhatis.techtarget.com/ _ 
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Quiz 
Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) Which of the following is NOT a reason for using VPN? 


A) VPNs provide secure communication over a public infrastructure. 

B) VPNs reduce cost when compared to maintaining dedicated circuits. 

C) VPNs allow users to shield information from others on the Internet. 

D) VPNs allow communication at 20-40 percent faster rates than non-VPN 
connections. 


Q2) — Tunnels permit which two of the following? (Choose two.) 


A) multiple protocols to cross an IP network 

B) packet encryption to cross an IP network 

C) packets to move faster through a congested network 
D) overhead of packet size and process to be reduced 


Q3) Which of the following devices can terminate a VPN connection? 
A) Cisco firewall 
B) Cisco router 
B) Cisco VPN concentrator 
C) all of the above 


Q4) — Which of the following is NOT a benefit of Layer 3 (IPSec) encryption? 
A) Layer 3 encryption can be used independent of the type of application. 


B) Layer 3 encryption hides the port number and the type of application being 
used. 


C) Layer 3 encryption prevents intruders from seeing the addresses of the host 
conversations. 


D) Layer 3 encryption is easily scalable. 


Q5) AGRE or L2TP tunnel can be encapsulated within an IPSec tunnel to keep data 


private. 
A) true 
B) false 
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Q6) — Ifacorporate network uses a multicast protocol, how can traffic be sent securely from a 
corporate headquarters to a branch office? 


A) Multicast protocols natively control security between offices. 

B) A GRE tunnel will provide adequate security. 

C) An L2TP tunnel will provide adequate security. 

D) A GRE tunnel encapsulated in IPSec will provide adequate security. 


Q7) —Accryptosystem can best be defined as : 
A) a method of enabling two devices to negotiate security protocols 
B) the ability to use a substance like Kryptonite to weaken security 


C) the system of securing traffic by using encryption 
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Quiz Answer Key 
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Ql) 


Q2) 


Q3) 


Q4) 


Q5) 


Q6) 


Q7) 


D 
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A,B 
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D 
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Cc 
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A 
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D 
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VPN Technologies 
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Identifying Cisco lOS 
Cryptosystem Features 


Overview 


The Cisco IOS cryptosystem, which performs encryption, authentication, and key management, 
is a complex tool and supports many technologies. 


Relevance 


Understanding cryptosystem is helpful in understanding encryption and key exchanges. 


Objectives 
Upon completing this lesson, you will be able to: 


m= List the various encryptions, authentications, hash functions, and key management systems 
used in cryptography 


m™ Describe the fundamentals of symmetric encryption (secret-key encryption) 
m™ Describe the fundamentals of asymmetric encryption (public-key encryption) 
m Identify the steps in a key exchange operation using the Diffie-Hellman algorithm 


m™ Describe the fundamentals of hashing, including the HMAC-MD5 and HMAC-SHA-1 
hashing algorithms 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Jnterconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 


Building Cisco Remote Access Networks (BCRAN) v2.1 


Overview 

Cryptosystem Overview 
Symmetric Encryption 
Asymmetric Encryption 

Key Exchange—Diffie-Hellman 
Hashing 

Summary 


Quiz 
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Cryptosystem Overview 


This topic describes encryptions, authentications, hash functions, and key management systems 


that are used in cryptography. 


Cryptosystem Overview 


Key Monagement 


Secret Key Exchange: 
Diffie-Hellman 


Authentication 


Syrunetic Asymmetric 
Secret Key: Public Key: 
RSA 


HMAC ~— — 


(secret key) 


Public Key Exchange: 


Digital 
gnature 
public key) 


There are numerous encryption technologies that are available to provide confidentiality, 
including Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption 
Standard (AES). DES encrypts packet data with a 56-bit key. At its development in the 1970s, 
DES was thought to be unbreakable. Today, supercomputers can crack DES encryption in a 
few days. 3DES uses a double-length key (112 bits) and performs three DES operations in 
sequence. 3DES is 2”° times stronger than DES. AES currently specifies keys with a length of 
128, 192, or 256 bits to encrypt blocks with a length of 128, 192, or 256 bits (all nine 
combinations of key length and block length are possible). Cisco intends AES to be available 
on all Cisco products that currently have IPSec DES and 3DES functionality, such as Cisco 
IOS routers, Cisco Secure PIX Firewalls, Cisco VPN concentrators, and Cisco VPN clients. 


Many standards have emerged to protect the secrecy of keys and to facilitate the changing of 
these keys. Diffie-Hellman implements key exchange without exchanging the actual keys. This 
is the most well-known and widely used algorithm for establishing session keys to encrypt data. 


Note Cisco IOS images with strong encryption are subject to United States government export 
controls and have a limited distribution. Please check license availability before installing an 
encryption technology. This course uses the less powerful DES rather than 3DES due to 


more flexible export restrictions. 


Rivest, Shamir, and Adelman (RSA) is the public-key cryptographic system developed by Ron 
Rivest, Adi Shamir, and Leonard Adelman. RSA signatures provide nonrepudiation while 
RSA-encrypted nonces (randomly generated values) provide repudiation. There are several 
technologies that provide authentication, including message digest algorithm 5 (MD5) and 


Secure Hash Algorithm (SHA). 
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Symmetric Encryption 
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This topic describes the fundamentals of symmetric encryption (secret-key encryption). 


Symmetric Encryption 


¢ Encryption turns clear text into ciphertext 
¢ Decryption restores clear text from ciphertext 
* Keys enable encryption and decryption 


The figure shows symmetric encryption, also known as secret-key encryption. It is used for 
large volumes of data. During the data exchange, the keys may change several times. 
Asymmetric encryption, or public-key encryption such as RSA, is several times more CPU- 
intensive, so it is usually used only for key exchanges. 


With block ciphers, it is possible to further guarantee the integrity of the data received by using 
feedback. Cisco encryption algorithm incorporates cipher feedback (CFB), which does an 
Exclusive-OR of the plain text data with each block of encrypted data. CFB provides a means 
to verify that all data was received as transmitted. 


The most important feature of a cryptographic algorithm is its security against being 
compromised. The security of a cryptosystem, or the degree of difficulty for an attacker to 
determine the contents of the ciphertext, is the function of a few variables. In most protocols, 
the cornerstone to security lies in the secrecy of the key used to encrypt data. The DES 
algorithm is built so that it is too difficult for anyone to be able to determine the clear text 
without having this key. In any cryptosystem, great lengths are taken to protect the secrecy of 
the encryption key. 


DES is one of the most widely used symmetric encryption standards. DES turns clear text into 
ciphertext via an encryption algorithm. The decryption algorithm on the remote end restores 
clear text from ciphertext. Keys enable the encryption and decryption. DES is the most widely 
used symmetric encryption scheme today. It operates on 64-bit message blocks. The algorithm 
uses a series of steps to transform 64-bit input into 64-bit output. In its standard form, the 
algorithm uses 64-bit keys, of which 56 bits are chosen randomly. The remaining eight bits are 
parity bits, one for each seven-bit block of the 56-bit random value. 
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3DES is an alternative to DES that preserves the existing investment in software but makes a 
brute-force attack more difficult. 3DES takes a 64-bit block of data and performs the operations 
of encrypt, decrypt, and encrypt. 3DES can use one, two, or three different keys. The advantage 
of using one key is that, with the exception of the additional processing time that is required, 
3DES with one key is the same as standard DES (for backward compatibility). Although DES 
and 3DES algorithms are in the public domain and freely available, 3DES software is 
controlled by United States export laws. 
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Asymmetric Encryption 
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This topic describes the fundamentals of asymmetric encryption (public-key encryption). 


Asymmetric Encryption 


Key 


* Private key is known only to receiver. 
¢ Public key is known to public. 
* Public key distribution not a secret operation. 


Asymmetric encryption is often referred to as public-key encryption. It can use either the same 
algorithm to encrypt and decrypt data, or different but complementary algorithms. Two 
different, but related, key values are required: a public key and a private key. For example, if 
Alice and Bob want to communicate using public-key encryption, both need a public-key and 
private-key pair. Alice has to create her public-key or private-key pair, and Bob has to create 
his own public-key or private-key pair. When communicating with each other securely, Alice 
and Bob use different keys to encrypt and decrypt data. 


Although the mechanisms that are used to generate these public or private key pairs are 
complex, they result in the generation of two very large random numbers, one of which 
becomes the public key and the other the private key. Because these numbers must adhere to 
stringent mathematical criteria to preserve the uniqueness of each public or private key pair, 
generating these numbers is processor-intensive. Public-key encryption algorithms are rarely 
used for data confidentiality because of their performance constraints, but instead are typically 
used in applications involving authentication that uses digital signatures and key management. 


Two common public-key algorithms are the RSA algorithm and the El Gamal algorithm. 
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Key Exchange—Diffie-Hellman 


This topic describes the steps in a key exchange operation using the Diffie-Hellman algorithm. 


Key Exchange—Diffie-Hellman Overview 


Performs authenticated key exchange 


Private value, X, Private value, Xp 
Public value, Y, Public value, Y, 


Xp Xg 
%, *9 mod p Y, *9 mod p 


ae | 


X, 
(Y, } mod p =K 


One of the most important aspects of creating a secure VPN involves exchanging the keys. The 
Diffie-Hellman algorithm provides a way for two parties, Router A and Router B in the figure, 
to establish a shared secret key that only they know, even though they are communicating over 
an insecure channel. 


This secret key is then used to encrypt data using their favorite secret-key encryption algorithm. 
Two numbers, “p” (a prime) and “g” (a number less than “p” but with some restrictions), are 
shared. 


Router A and Router B each create a large random number that is kept secret, “X,” and 

“Xp. The Diffie-Hellman algorithm is now performed, whereby both Router A and Router B 
carry out some computations and exchange results. 

The final exchange results in a common value “K.” Anyone who knows “p” or “g” cannot 
guess or easily calculate the shared secret value—largely because of the difficulty in factoring 
large prime numbers. 


It is important to note that a means for knowing with whom the key is established has not yet 
been created, so the exchange is subject to a “man-in-the-middle” attack (hijacking a network 
session between the source and destination). Diffie-Hellman provides for confidentiality but not 
for authentication. Authentication is achieved via the use of digital signatures in the Diffie- 
Hellman message exchanges. 
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Hashing 


This topic describes the fundamentals of hashing, including the Hash-based Message 
Authentication Code (HMAC)-MD5 and HMAC-SHA-1 hashing algorithms. 


Hashing 


Local 


Vari ble -length 
| input message 
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Hashing guarantees the integrity of the message. At the local end, the message and a shared 
secret key are sent through a hash algorithm, which produces a hash value. Basically, a hash 
algorithm is a formula that is used to convert a variable-length message into a single string of 
fixed-length digits. It is a one-way algorithm. A message can produce a hash but a hash cannot 
produce the original message. It is analogous to dropping a plate on the floor. The plate can 
produce a multitude of pieces, but the pieces cannot be recombined to reproduce the plate in its 
original form. The message and hash are sent over the network. 


At the remote end, there is a two-step process. First, the received message and shared secret key 
are sent through the hash algorithm, resulting in a recalculated hash value. Second, the receiver 
compares the recalculated hash with the hash that was attached to the message. If the original 
hash and the recalculated hash match, the integrity of the message is guaranteed. If any part of 
the original message is changed while in transit, the hash values are different. 


There are two common hashing algorithms: 


= HMAC-MDS: Uses a 128-bit shared secret key. The variable-length message and 128-bit 
shared secret key are combined and run through the HMAC-MDS hash algorithm. The 
output is a 128-bit hash. The hash is appended to the original message and forwarded to the 
remote end. 


= HMAC-SHA-1: Uses a 160-bit secret key. The variable-length message and the 160-bit 
shared secret key are combined and run through the HMAC-SHA-1 hash algorithm. The 
output is a 160-bit hash. The hash is appended to the original message and forwarded to the 
remote end. 


HMAC-SHA-1 is considered cryptographically stronger than HMAC-MD5S. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
I ane 


e In systematic encryption, clear text is turned into 
ciphertext, and then decrypted back into clear text, by 
use of keys. 


Asymmetric encryption uses either the same algorithm, 
or different but complementary algorithms, to scramble 
and unscramble data. 


The Diffie-Hellman algorithm provides a way for two 
parties to establish a shared secret key that only they 
know, while communicating over an insecure channel. 


A hash algorithm is a formula used to convert a 
variable-length message into a single string of digits of 
a fixed length. 
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Quiz 
Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 
Ql) ~~ Which technology can provide authentication? 
A) DES 
B) Digital Signatures 
C) Diffie-Hellman 
D) RSA 
Q2) Symmetric encryption requires that the same key be used during encryption and 
decryption. 
A) true 
B) false 


Q3) — Which of the following is a form of asymmetric encryption? 


A) shared secret 


B) RSA 
C) SHA 
D) MDS 


Q4) Diffie-Hellman provides for confidentiality and authentication. 
A) true 
B) false 
Q5) What is the key size difference between HMAC-MDS5 and HMAC-SHA-1? 
A) HMAC-MDS = 64 bit, HMAC-SHA-1 = 128 bit 
B) HMAC-MDS = 128 bit, HMAC-SHA-1 = 160 bit 
C) HMAC-MDS = 160 bit, HMAC-SHA-1 = 128 bit 
D) HMAC-MDS = 128 bit, HMAC-SHA-1 = 64 bit 
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Quiz Answer Key 


Ql) B 

Relates to: 
Q2) A 

Relates to: 
Q3)  B 

Relates to: 
Q4+) B 

Relates to: 
Q5)  B 

Relates to: 


Copyright © 2004, Cisco Systems, Inc. 


Cryptosystem Overview 


Symmetric Encryption 


Asymmetric Encryption 


Key Exchange—Diffie-Hellman 


Hashing 
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Identifying [PSec Technologies 


Overview 


IPSec is a set of security protocols and algorithms that are used to secure data at the network 
layer. Prior to the IPSec standard, Cisco implemented its proprietary Cisco Encryption 
Technology (CET) to provide protection at the packet level. 


IPSec consists of two protocols and two protection modes. The first protocol is ESP, which 
encapsulates the data but does not provide protection to the outer headers. ESP encrypts the 
payload for data confidentiality, authenticity, and integrity. The second protocol is AH, which 
verifies the authenticity and integrity of the IP datagram by including a keyed MAC in the 
header. 


Relevance 


IPSec and the underlying protocols are important for establishing SAs as a way to secure all 
confidential communications running through insecure public networks. 


Objectives 
Upon completing this lesson, you will be able to: 
m™ Describe the fundamentals of IPSec 


m= List the differences in how the ESP and AH are applied using transport mode and tunnel 
mode 


m™ Describe the concepts of SAs 

m= List the five steps of IPSec operation 

m™ Describe how IKE enhances IPSec 

m™ Describe the IPSec process using SAs and CAs 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the /ntroduction to Cisco Networking Technologies (INTRO) 


course 


m= All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 
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Overview 

IPSec 

Tunnel vs. Transport Mode 
Security Associations 

Five Steps to IPSec 

IPSec and IKE Relationship 
IKE and IPSec Flowchart 
Tasks to Configure IPSec 


Summary 


Quiz 
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IPSec 


This topic describes the fundamentals of IPSec. 


IPSec—Interoperable Encryption and 
Authentication 


ESP Trailer 


The IPSec feature is supported across Cisco IOS-based 1600, 2x00, 36x0, 4x00, 5x00, and 7x00 
platforms using Cisco IOS Software Release 12.0(x), Cisco PIX Firewalls, and VPN Client and 
Concentrators. 


RFC 2401 describes the general framework for this architecture. Like all security mechanisms, 
RFC 2401 helps to enforce a security policy. The policy defines the need for security on 
various connections—these will be IP sessions. The framework provides data integrity, 
authentication, and confidentiality, in addition to security association and key management. 


Authentication Header 


The IP AH is used to provide connectionless integrity and data origin authentication for IP 
datagrams, and to provide protection against replays. The receiver can elect protection against 
replays when a security association is established. Although the default calls for the sender to 
increment the sequence number that is used for anti-replay, the service is effective only if the 
receiver checks the sequence number. AH, defined in RFC 2402, provides authentication for as 
much of the IP header as possible, in addition to upper-level protocol data. However, some IP 
header fields may change in transit and the value of these fields, when the packet arrives at the 
receiver, may not be predictable by the sender. The values of such fields cannot be protected by 
AH. Thus, the protection provided to the IP header by AH is limited. 


AH may be applied alone, in combination with the IP ESP, or in a nested fashion through the 
use of tunnel mode. Security services can be provided between a pair of communicating hosts, 
between a pair of communicating security gateways, or between a security gateway and a host. 
ESP may be used to provide the same security services, and it also provides a confidentiality 
(encryption) service. The primary difference between the authentication services provided by 
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ESP and AH is the extent of the coverage. Specifically, ESP does not protect any IP header 
fields unless they are encapsulated by ESP (tunnel mode). 


Encapsulating Security Payload 


The ESP header is inserted after the IP header and before the upper-layer protocol header 
(transport mode) or before an encapsulated IP header (tunnel mode). 


ESP, defined in RFC 2406, is used to provide confidentiality, data origin authentication, 
connectionless integrity, an anti-replay service (a form of partial sequence integrity), and 
limited traffic flow confidentiality by defeating traffic-flow analysis. The set of services 
provided depends on the options that are selected at the time of security association 
establishment and upon placement of the implementation. Confidentiality may be selected 
independent of all other services. However, use of confidentiality without integrity or 
authentication (either in ESP or separately in AH) may subject traffic to certain forms of active 
attacks that could undermine the confidentiality service. 


Data origin authentication and connectionless integrity are joint services and are offered as an 
option in conjunction with (optional) confidentiality. The anti-replay service may be selected 
only if data origin authentication is selected, and its election is solely at the discretion of the 
receiver. Although the default calls for the sender to increment the sequence number that is 
used for anti-replay, the service is effective only if the receiver checks the sequence number. 
Traffic flow confidentiality requires the selection of tunnel mode, and is most effective if it is 
implemented at a security gateway, where traffic aggregation may be able to mask true source- 
destination patterns. Although both confidentiality and authentication are optional, at least one 
of them must be selected. 
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Tunnel vs. Transport Mode 


This topic describes the differences in how the ESP and AH are applied using transport mode 
and tunnel mode. 


Tunnel Versus Transport Mode 


IP HDR ESP HDR 


New IP HDR ESP HDR 


Encrypted 
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This figure shows an IPSec-protected path in basic scenarios in tunnel and transport modes. In 
transport mode, end hosts do IPSec encapsulation of their own data (host-to-host) Therefore, 
IPSec has to be implemented on end-hosts. The application endpoint must also be the IPSec 
endpoint. In tunnel mode, IPSec gateways provide IPSec services to other hosts in peer-to-peer 
tunnels, and end-hosts are not aware of the IPSec that are being used to protect their traffic. 
IPSec gateways provide transparent protection of other host traffic over untrusted networks. 


ESP and AH can be applied to IP packets in two different ways, referred to as modes: 


= Transport mode: In transport mode, security is provided for the upper protocol layers— 
transport layer and above only. Transport mode protects the payload of the packet but 
leaves the original IP address in the clear. The original IP address is used to route the 
packet through the Internet. ESP transport mode is used between hosts. 


= Tunnel mode: Provides security for the whole original IP packet. The original IP packet is 
encrypted. Next, the encrypted packet is encapsulated in another IP packet. The outside IP 
address is used to route the packet through the Internet. 
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Security Associations 


This topic describes the concepts of security associations. 


Security Association 


Ain 
FEPDESISHA 
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SAs are one of the most basic concepts of IPSec. They represent a policy contract between two 
peers or hosts, and describe how the peers will use IPSec security services to protect network 
traffic. SAs contain all the security parameters that are needed to securely transport packets 
between peers or hosts, and they practically define the security policy used in IPSec. 


The figure illustrates the concept of an SA. The routers in the figure use IPSec to protect traffic 
between hosts A and B, and therefore need two SAs (one in each direction) to describe traffic 
protection in both directions. Establishment of SAs is a prerequisite for IPSec traffic protection 
to work. When relevant SAs are established, IPSec refers to them for all parameters that are 
needed to protect a particular traffic flow. For example, an SA might enforce the following 
policy: “For traffic between hosts A and B use ESP 3DES with keys K1, K2, and K3 for 
payload encryption, SHA-1 with K4 for authentication...” 


IPSec SAs always contain unidirectional (one-way) specifications. They are also encapsulation 
protocol specific. For each given traffic flow, there is a separate SA for each encapsulation 
protocol, AH and ESP. If two hosts A and B are communicating securely using both AH and 
ESP, then each host builds separate SAs (inbound and outbound) for each protocol. VPN 
devices store all their active SAs in a local database called the SA database. 
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An SA contains these security parameters: 


m Authentication encryption algorithm, key length, and other encryption parameters (such as 
key lifetime, for example) that are used with protected packets. 


m™ Session keys for authentication (HMACs) and encryption fed to the above algorithms. 
Those can be entered manually or negotiated automatically with the help of the IKE 
protocol. 


= A specification of network traffic to which the SA will be applied (that is, all IP traffic, 
only TELNET sessions, and so forth). 


m IPSec encapsulation protocol (AH or ESP) and mode (tunnel or transport). 
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Five Steps to IPSec 


5-46 


This topic describes the five steps of IPSec operation. 


Five Steps of IPSec 
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The goal of IPSec is to protect the desired data with the necessary security and algorithms. The 
figure shows only one of the two bidirectional IPSec SAs. IPSec operation can be broken down 


into five primary steps: 


Step 1 Interesting traffic initiates the IPSec process. Traffic is deemed interesting when the 


Step 2 


Step 3 


Step 4 


Step 5 
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VPN device recognizes that the traffic you want to send must be protected. 


IKE Phase 1. IKE authenticates IPSec peers and negotiates IKE SAs during this 
phase, setting up a secure communications channel for negotiating IPSec SAs in 
Phase 2. 


IKE Phase 2. IKE negotiates IPSec SA parameters and sets up matching IPSec SAs 
in the peers. These security parameters are used to protect data and messages that are 
exchanged between endpoints. 


Data transfer. Data is transferred between IPSec peers, based on the IPSec 
parameters and keys stored in the SA database. 


IPSec tunnel termination. IPSec SAs terminate through deletion or by timing out. 
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IPSec and IKE Relationship 


This topic describes how IKE enhances IPSec. 


How IPSec uses IKE 


1. Outbound packet is sent from 4. Packetis sent from RouterA to 
RoulcrA to Routers. No IPSec SA. RoulerB. protected by IPSec SA. 


3) IKE tunnel ; 


2. RouterA IKE begins 3, Negotistion complete, Routers 
negotiation with RauterB IKE. and RouterB naw have a complete 
sct of SAs in place. 


IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for 
the IPSec standard. IKE, defined in RFC 2409, is a hybrid protocol which implements the 
Oakley and Skeme key exchanges inside the ISAKMP framework. ISAKMP is defined in RFC 
2408. ISAKMP, Oakley, and Skeme are security protocols implemented by IKE. IKE provides 
authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec SAs. 


The IKE tunnel protects the SA negotiations. After the SAs are in place, IPSec protects the data 
that A and B exchange. 


IKE mode configuration allows a gateway to download an IP address (and other network-level 
configuration) to the client as part of an IKE negotiation. Using this exchange, the gateway 
gives IP addresses to the IKE client to be used as an inner IP address encapsulated under IPSec. 
This provides a known IP address for the client, which can be matched against IPSec policy. 


This feature implements IKE mode configuration into existing Cisco IOS IPSec software 
images. Using IKE mode configuration, you can configure a Cisco access server to download 
an IP address to a client as part of an IKE transaction. IKE automatically negotiates IPSec SAs 
and enables IPSec secure communications without costly manual preconfiguration. 
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IKE provides these benefits: 


Eliminates the need to manually specify all the IPSec security parameters in the crypto 
maps at both peers 


Allows you to specify a lifetime for the IPSec SA 

Allows you to change encryption keys during IPSec sessions 

Allows IPSec to provide anti-replay services 

Permits CA support for a manageable, scalable IPSec implementation 


Allows dynamic authentication of peers 


The component technologies implemented for use by IKE include: 


DES: DES is used to encrypt packet data. IKE implements the 56-bit DES-cipher block 
chaining (CBC) with explicit initialization value (IV) standard. 


3DES: 168-bit encryption. 

AES: Advanced Encryption Standard is the new standard that provides stronger encryption 
(128-bit, 192-bit, 256-bit) and is less CPU-intensive. 

CBC: Requires an IV to start encryption. The IV is explicitly given in the IPSec packet. 
Diffie-Hellman: A public-key cryptography protocol that allows two parties to establish a 


shared secret over an unsecured communications channel. Diffie-Hellman is used within 
IKE to establish session keys. 768-bit and 1024-bit Diffie-Hellman groups are supported. 


MD5 (HMAC variant): MDS is a hash algorithm that is used to authenticate packet data. 
HMAC is a variant that provides an additional level of hashing. 


SHA (HMAC variant): SHA-1 is a hash algorithm that is used to authenticate packet data. 
HMAC is a variant that provides an additional level of hashing. 


RSA signatures and RSA encrypted nonces: RSA is the public key cryptographic system 
developed by Ron Rivest, Adi Shamir, and Leonard Adelman. RSA signatures provide 
nonrepudiation while RSA-encrypted nonces (uniquely occurring numbers) provide 
repudiation. 


X.509v3 digital certificates are used with the IKE protocol when authentication requires public 
keys. This certificate support allows the protected network to scale by providing the equivalent 
of a digital ID card for each device. When two devices must communicate, they exchange 
digital certificates to prove their identity, thus removing the need to exchange public keys 
manually with each peer or to specify a shared key manually at each peer. 
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IKE and IPSec Flowchart 


This topic describes the IPSec process using SAs and CAs. 


IKE and IPSec Flowchart 
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IPSec in Cisco IOS software processes packets as shown in the figure. The process assumes 
that you have already created your own public and private keys, and that at least one access list 
exists. The steps are listed here: 


Step 1 Access lists applied to an interface and crypto maps are used by Cisco IOS software 
to select interesting traffic to be encrypted. 


™ Cisco IOS software checks to see if IPSec SAs have been established. 


m Ifthe SA has already been established by manual configuration using the crypto 
ipsec transform-set and crypto map commands, or previously set up by IKE, 
the packet is encrypted based on the policy that is specified in the crypto map, 
and is transmitted out the interface. 


Step 2 If the SA has not been established, Cisco IOS software checks to see if an ISAKMP 
SA has been configured and set up. If the ISAKMP SA has been set up, the 
ISAKMP SA governs negotiation of the IPSec SA as specified in the ISAKMP 
policy configured by the crypto isakmp policy command. Then the packet is 
encrypted by IPSec and is transmitted. 


Step 3 If the ISAKMP SA has not been set up, Cisco IOS software checks to see if 
certification authority has been configured to establish an ISAKMP policy. If CA 
authentication is configured with crypto ca commands, the router uses public and 
private keys previously configured, gets the public certificate of the CA, gets a 
certificate for its own public key, uses the key to negotiate an ISAKMP SA, which 
in turn is used to establish IPSec SA. Finally, it encrypts and transmits the packet. 
This is usually a one-time enrollment process with the CA. 
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Tasks to Configure IPSec 


This topic describes the tasks to configure IPSec. 


Tasks to Configure IPSec 
ey | 


Task 1 — Prepare for IKE and IPSec 

Step 1: Determine IKE (IKE Phase 1) policy 

Step 2: Determine IPSec (IKE Phase 2) policy 

Step 3: Check the current configuration 

Step 4: Ensure that the network works without encryption 

Step 5: Ensure that access lists are compatible with IPSec 
Task 2 — Configure IKE 

Step 1: Enable or disable IKE 

Step 2: Create IKE policies 

Step 3: Configure ISAKMP identity 

Step 4: Configure preshared keys 

Step 5: Verify IKE configuration 
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Tasks to Configure IPSec (vont) 


Task 3 — Configure IPSec 


Step 1: Configure transform set suites 
Step 2: Configure global IPSec lifeline 
Step 3: Create crypto ACLs 
Step 4: Create crypto ACLs using extended access lists 
Step 5: Create crypto maps 
Step 6: Configure IPSec crypto maps 
Task 4 — Test and Verify IPSec 
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The use of IKE preshared keys for authentication of IPSec sessions is relatively easy to 
configure, yet does not scale well for a large number of IPSec clients. 


The process for configuring IKE preshared keys in Cisco IOS software for Cisco routers 
consists of four major tasks. Subsequent lessons of this module discuss each configuration task 
in more detail. The four major tasks are as follows: 


m= Task 1—Prepare for IPSec: This task involves determining the detailed encryption 
policy. This includes identifying the hosts and networks that you must protect, determining 
details about the IPSec peers, determining the IPSec features that you need, and ensuring 
that existing ACLs are compatible with IPSec. 


m= Task 2—Configure LIKE: This task involves enabling IKE, creating the IKE policies, and 
validating the configuration. 


= Task 3—Configure IPSec: This task includes defining the transform sets, creating crypto 
ACLs, creating crypto map entries, and applying crypto map sets to interfaces. 


= Task 4—Test and verify IPSec: Use show, debug, and related commands to test and 
verify that IPSec encryption works, and to troubleshoot problems. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
ise. 


* IPSec is a set of security protocols and algorithms 
used to secure data at the network layer. 


* IPSec consists of the Encapsulating Security 
Payload (ESP) and Authentication Header (AH). 


° Internet Key Exchange (IKE) enhances IPSec by 
providing additional features, flexibility, and ease 
of configuration for the IPSec standard. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


Q6) 


IPSec supports which two encapsulation protocols? 
A) MDS and SHA-1 

B) SH1 and ESP 

C) ESP and AH 

D) AH and MDS5 


Transport mode provides protection for which layer and above? 
A) network 

B) transport 

C) session 


D) application 


How many security associations are generated for IPSec tunnels between routers? 


A) 1 
By) 2 
Cc}. 3 
Dy 4 


What is the first step in terminating an IPSec tunnel? 
A) IKE Phase | is negotiated. 

B) IKE Phase 2 is negotiated. 

C) IPSec peers terminate a tunnel. 


D) Interesting traffic must be generated. 

Internet Key Exchange increases the functionality of IPSec. 
A) true 

B) false 

To use IKE with IPSec, you must have a CA setup. 

A) true 

B) false 
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Q7)  Toconfigure IKE, you must enable IKE, create the IKE policies, and : 
A) apply crypto ACLs 
B) validate the configuring 
C) identify the host 


D) use the show command 
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Quiz Answer Key 


Ql) 


Q3) 


Q4) 


Q5) 


Q6) 


Q7) 


Cc 


Relates to: 


B 


Relates to: 


Cc 


Relates to: 


D 


Relates to: 


A 


Relates to: 


B 


Relates to: 


B 


Relates to: 
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IPSec 


Tunnel vs. Transport Mode 


Security Associations 


Five Steps to IPSec 


IPSec and IKE Relationship 


IKE and IPSec Flowchart 


Tasks to Configure IPSec 
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Task 1: Preparing for IKE and 
IPSec 


Overview 


Successful implementation of an IPSec network requires advance planning before beginning 
the configuration of individual routers. 


Relevance 


Before configuring IPSec it is necessary to establish a proper IPSec security policy. 


Objectives 
Upon completing this lesson, you will be able to: 
m Identify the steps in creating an IKE and IPSec security policy 
m™ Describe the process for determining the IKE Phase 1 policy 
m™ Define the IKE Phase | policy parameters 
m= Describe the process for determining the IKE Phase 2 policy 
m Identify the IPSec transforms supported by Cisco IOS software 
m™ Describe an example of an IPSec policy 
m™ Describe the importance of identifying the IPSec peer 
m Identify the commands that are used to check for existing IPSec security policies 
m= Identify the commands that are used to ensure connectivity between IPSec peers 


m= Describe how to ensure that access lists are compatible with IPSec 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the /ntroduction to Cisco Networking Technologies (INTRO) 


course 


m All knowledge presented in the /nterconnecting Cisco Networking Devices (ICND) course 


Outline 
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This lesson includes these topics: 


Overview 

IKE Creation and IPSec Security Policy 

Step 1: Determine IKE (IKE Phase 1) Policy 

IKE Phase | Policy Parameters 

Step 2: Determine IPSec (IKE Phase 2) Policy 
IPSec Transforms Supported in Cisco IOS Software 
IPSec Policy Example 

IPSec Peers 

Step 3: Check Current Configuration 

Step 4: Ensure That the Network Works 

Step 5: Ensure That Access Lists Are Compatible with IPSec 
Summary 


Quiz 
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IKE Creation and IPSec Security Policy 


This topic identifies the steps for creating an IKE and IPSec security policy. 


Task 1—Prepare for IKE and IPSec 
mn | 


Task 1 — Prepare for IKE and IPSec 
Step 1—Determine IKE (IKE Phase 1) policy. 
Step 2—Determine IPSec (IKE Phase 2) policy. 
Step 3—Check the current configuration. 


show running-configuration 
show crypto isakmp policy 
show crypto map 
Step 4—Ensure the network works without encryption. 
ping 
Step 5—Ensure access lists are compatible with IPSec. 
show access-lists 
Task 2 — Configure IKE 
Task 3 — Configure IPSec 
Task 4 — Test and Verify IPSec 
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Configuring IPSec encryption can be complicated. You must plan in advance if you desire to 
configure IPSec encryption correctly the first time and minimize misconfiguration. You should 
begin this task by defining the IPSec security policy based on the overall company security 
policy. Some planning steps are as follows: 


Step 1 Determine IKE (IKE Phase 1) policy: Determine the IKE policies between IPSec 
peers based on the number and location of the peers. 


Step 2 Determine IPSec (IKE Phase 2) policy: Identify IPSec peer details such as IP 
addresses, IPSec transform sets, and IPSec modes. Then configure crypto maps to 
gather all IPSec policy details together. 


Step 3 Check the current configuration: Use the show running-configuration, show 
isakmp [policy], and show crypto map commands, and many other show 
commands to check the current configuration of the router. This is covered later in 
this lesson. 


Step 4 Ensure the network works without encryption (no excuses!): Ensure that basic 
connectivity has been achieved between IPSec peers using the desired IP services 
before configuring IPSec. You can use the ping command to check basic 
connectivity. 


Step 5 Ensure that access control lists (ACLs) are compatible with IPSec: Ensure that 
perimeter routers and the IPSec peer router interfaces permit IPSec traffic. In this 
step you need to enter the show access-lists command. 
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Step 1: Determine IKE (IKE Phase 1) Policy 


This topic describes the process for determining the IKE Phase 1 policy 


Step 1—Determine IKE (IKE Phase u, Policy 


Determine the following policy details: 
° Key distribution method 

* Authentication method 

¢ IPSec peer IP addresses and hostnames 


° IKE Phase 1 policies for all peers 


—Encryption algorithm 
—Hash algorithm 
—IKE SA lifetime 
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Configuring IKE is complicated. You should determine the IKE policy details to enable the 
selected authentication method, and then configure it. Having a detailed plan reduces the 
chances of improper configuration. Some of the planning steps include: 


= Determine the key distribution method: Determine the key distribution method that is 
based on the numbers and locations of IPSec peers. For a small network, you may want to 
manually distribute keys. For a larger network, you may want to use a CA server to support 
scalability of IPSec peers. You must then configure the ISAKMP to support the selected 
key distribution method. 


= Determine the authentication method: Choose the authentication method that is based on 
the key distribution method. Cisco IOS software supports either preshared keys, RSA 
encrypted nonces, or RSA signatures to authenticate IPSec peers. This lesson focuses on 
using preshared keys. 


m= Identify IPSec peer IP addresses and hostnames: Determine details of all of the IPSec 
peers that will use ISAKMP and preshared keys for establishing SAs. You will use this 
information to configure IKE. 
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= Determine ISAKMP policies for peers: An ISAKMP policy defines a combination, or 
suite, of security parameters to be used during the ISAKMP negotiation. Each ISAKMP 
negotiation begins by each peer agreeing on a common (shared) ISAKMP policy. The 
ISAKMP policy suites must be determined in advance of configuration. You must then 
configure IKE to support the policy details that you determined. Some ISAKMP policy 
details include: 


— Encryption algorithm 
— Hash algorithm 
— IKESA lifetime 


The goal of this planning step is to gather the precise data that you will need in later steps to 
minimize misconfiguration. 
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IKE Phase 1 Policy Parameters 


This topic describes the IKE Phase | policy parameters. 


IKE Phase 1 Policy Parameters 
ee eee ons nS SOE] 


Encryption Algorithm DES 


Hash Algorithm MDS 


Key Exchange D-H Group 1 
IKE SA Lifetime 86400 seconds 
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An IKE policy defines a combination of security parameters that are used during the IKE 
negotiation. A group of policies make up a “protection suite” of multiple policies that enable 
IPSec peers to establish IKE sessions and establish SAs with a minimal configuration. The 
figure shows an example of possible combinations of IKE parameters to form either a strong or 
a stronger policy suite. 


Create IKE Policies for a Purpose 


Because IKE negotiations must be protected, each IKE negotiation begins with each peer 
agreeing on a common (shared) IKE policy. This policy states which security parameters will 
be used to protect subsequent IKE negotiations. 


After the two peers agree upon a policy, an SA established at each peer identifies the security 
parameters of the policy. These SAs apply to all subsequent IKE traffic during the negotiation. 


You can create multiple, prioritized policies at each peer to ensure that at least one policy will 
match a remote peer policy. 


Define IKE Policy Parameters 


You can select specific values for each IKE parameter, according to the IKE standard. You 
select one value over another based on the security level you want and the type of IPSec peer to 
which you will connect. 


There are five parameters to define in each IKE policy, as shown in the figure and in the table 
here. The figure shows the relative strength of each parameter. The table shows the default 
values. 
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IKE Policy Parameters 


Parameter Accepted Values Keyword Default 
Message encryption DES des 56-bit DES-CBC 
algorithm 

3DES 3des 
Message integrity SHA-1 (HMAC variant) sha SHA-1 
(hash) algorithm 

MD5 (HMAC variant) md5 
Peer authentication Preshared keys pre-share RSA signatures 
method 

RSA encrypted nonces rsa-encr 

RSA signatures rsa-sig 
Key exchange 768-bit Diffie-Hellman 1 768-bit Diffie-Hellman 
parameters (Diffie- 
Hellman group or 
Menten 1024-bit Diffie-Hellman 2 


ISAKMP-established 
security association 
lifetime 


Can specify any number of 
seconds 


86,400 sec (one day) 


You can select specific values for each ISAKMP parameter per the ISAKMP standard. You 
select one value over another based on the security level you want and the type of IPSec peer to 
which you will connect. There are five parameters to define in each IKE policy as presented in 
the table here. The table shows the relative strength of each parameter. 


Parameter Strong Stronger 

Message encryption algorithm DES 3DES 

Message integrity (hash) algorithm MD5 SHA-1 

Peer authentication method Preshare RSA encryption 
RSA signature 

Key exchange parameters (Diffie- D-H Group 1 D-H Group 2 

Hellman group identifier) 

ISAKMP-established security 86,400 sec <86,400 sec 

association lifetime 


You should determine IKE policy details for each peer before configuring IKE. The figure 
shows a summary of IKE policy details that will be configured in examples and later, in labs 
for this lesson. The authentication method of preshared keys is also covered in this lesson. 
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Step 2: Determine IPSec (IKE Phase 2) Policy 


This topic describes the process for determining the IKE Phase 2 policy. 


Step 2—Determine IPSec (IKE Phase 2) 
Policy 


eee 
Determine the following policy details: 


° IPSec algorithms and parameters for optimal 
security and performance 


* Transforms and, if necessary, transform sets 


¢ IPSec peer details 


e IP address and applications of hosts to be 
protected 


¢ Manual or IKE-initiated SAs 


Goal: Minimize misconfiguration 


An IPSec policy defines a combination of IPSec parameters that are used during the IPSec 
negotiation. Planning for IPSec (IKE Phase 2) is another important step you should complete 
before actually configuring IPSec on a Cisco router. Policy details to determine at this stage 
include: 


m Select IPSec algorithms and parameters for optimal security and performance: 
Determine what type of IPSec security to use when securing interesting traffic. Some IPSec 
algorithms require that you make tradeoffs between high performance and stronger 
security. Some algorithms have import and export restrictions that may delay or prevent 
implementation of your network. 


m= Select transforms and, if necessary, transform sets: Use the IPSec algorithms and 
parameters previously decided upon to help select IPSec transforms, transform sets, and 
modes of operation. 


m= Identify IPSec peer details: Identify the IP addresses and host names of all IPSec peers to 
which you will connect. 


= Determine IP address and applications of hosts to be protected: Decide which IP 
addresses and applications of hosts should be protected at the local peer and remote peer. 


m= Select manual or IKE-initiated SAs: Choose whether SAs are manually established or are 
established via IKE. 


The goal of this planning step is to gather the precise data that you will need in later steps to 
minimize misconfiguration. 
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IPSec Transforms Supported in Cisco lOS 
Software 


This topic describes the IPSec transforms that are supported by Cisco IOS software. 


IPSec Transforms Supported in 
Cisco IOS Software 


| 


Cisco IOS software supports the following IPSec transforms: 


CentrealA iconfag )# crypto apeaewc transforms —wet trensform -set-sane 7 
ah ~mdS ~hmas An - HMAC -MDS teenstosm 

ah - sha-hmac AE - HMAC -SEA transform 

esp -AIdes RSP transform esing 3DES(ROR) cipher {165 hits) 

esp <des ESP transform ceing DES cipher (54 hits) 

esp -mdStumeac ESP transform usiog HMAC —-MoDS auth 

esp <-sha- hmac £5? transform using BMAC “SHA suth 

esp - aull ESP transform w/o capher 


Cisco IOS software supports the IPSec transforms as shown in the figure. Newer Cisco IOS 
software includes support for Advanced Encryption Standard (AES). 


Note AH is rarely used because authentication is now available with the esp-sha-hmac and esp- 
md5-hmac transforms. AH is also not compatible with NAT or PAT. 


Note IOS Release 12.2(13)T adds the AES feature support for the new encryption standard AES. 
The National Institute of Standards and Technology (NIST) has created AES, which is a new 
Federal Information Processing Standards (FIPS) publication that describes an encryption 
method. AES is a privacy transform for IPSec and IKE, and has been developed to replace 
DES. AES is designed to be more secure than DES in that AES offers a larger key size. The 
algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key. 
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Encapsulating Security Payload 


Transform Description 
esp-des ESP transform using DES cipher (56 bits) 
esp-3des ESP transform using 3DES(EDE) cipher (168 bits) 


esp-md5-hmac ESP transform with HMAC-MD5 authentication used with an ESP-DES or ESP- 
3DES transform to provide additional integrity of ESP packet 


esp-sha-hmac ESP transform with HMAC-SHA authentication used with an ESP-DES or ESP- 
3DES transform to provide additional integrity of ESP packet 


esp-null ESP transform without a cipher. May be used in combination with ESP-MD5-HMAC 
or ESP-SHA-HMAC if one wants ESP authentication with no encryption 


Caution Never use esp-null in a production environment because it does not protect data flows. 


Examples of acceptable transforms that can be combined into sets are shown in the table here. 


Acceptable Transforms 


Transform Type Allowed Transform Combinations 
AH transform m ah-md5-hmac—AH with the MD5 (HMAC variant) authentication 
(Pick up to one) algorithm 


m ah-sha-hmac—AH with the SHA (HMAC variant) authentication 
algorithm 


ESP encryption transform | m esp-des—ESP with the 56-bit DES encryption algorithm 
(Pick up to one) 
m esp-3des—ESP with the 168-bit DES encryption algorithm (3DES) 
m esp-null—Null encryption algorithm 

m esp-aes—ESP with 128-bit AES encryption 

m esp-aes 192—ESP with 192-bit AES encryption 


m esp-aes 256—ESP with 256-bit AES encryption 


ESP authentication m esp-md5-hmac—ESP with the MD5 (HMAC variant) authentication 
transform algorithm 


(Pick up to one) 
m esp-sha-hmac—ESP with the SHA (HMAC variant) authentication 


algorithm 


IP compression transform | m comp-lzs—IP compression with the LZS algorithm 


The Cisco IOS command parser prevents you from entering invalid combinations; for example, 
after you specify an AH transform, it does not allow you to specify another AH transform for 
the current transform set. 
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IPSec Policy Example 


This topic describes an example of an IPSec policy. 


The figure shows a summary of IPSec encryption policy details that will be configured in 


IPSec Policy Example 


Host B 


RowterB f 
— 5S 
100.23 


E0/172.30.1,2 EOV1.172.30.22 


DES, Tunne 


RovuterB 


172.30 2.2 


ipsec isakmp 
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examples in this lesson. (Details about IPSec transforms are covered later in this lesson.) The 
example policy specifies that TCP traffic between the hosts should be encrypted by IPSec that 
uses DES. 


Determining network design details includes defining a more detailed IPSec policy for 
protecting traffic. You can then use the detailed policy to help select IPSec transform sets and 
modes of operation. Your IPSec policy should answer these questions: 


What protections are required or are acceptable for the protected traffic? 

Which IPSec transforms or transform sets should be used? 

What are the peer IPSec endpoints for the traffic? 

What traffic should or should not be protected? 

Which router interfaces are involved in protecting internal nets and external nets? 


How are SAs set up (manual or IKE negotiated) and how often should the SAs be 
renegotiated? 
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IPSec Peers 


This topic describes the importance of identifying the IPSec peer. 


Identify IPSec Peers 


Cieco router 


fp 


Remote user vie ag, 


Cisco VPN Client 


VPN Concentrator 


An important part of determining the IPSec policy is to identify the IPSec peer with which the 
Cisco router will communicate. The peer must support IPSec as specified in the RFCs that are 
supported by Cisco IOS. Many different types of peers are possible. Before configuration, 
identify all the potential peers and their VPN capabilities. Possible peers include, but are not 
limited, to these: 


™ Other Cisco routers 

m The Cisco PIX Firewall 

m The Cisco VPN client (hardware or software) 
m The Cisco VPN concentrator 

m CA servers if they are used 


m [IPSec products of other vendors that conform to IPSec RFCs 


Caution Incompatibilities may exist when configuring IPSec and IKE between older and newer IOS 
images; for example, configuring |PSec between a router with IOS 12.0.3 and another router 
with lOS 12.2.8. Compatibility matrixes should be checked in the planning stages. 
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Step 3: Check Current Configuration 


This topic describes the commands that are used to check for existing IPSec security policies. 


Step 3—Check Current Configuration 


Host A Host B 
RouterB . 


10.023 


17230.2.2 


show crypto map 


* View any configured crypto maps. 


show crypto ipsec transform-set 


* View any configured transform sets. 


The current Cisco router configuration should be checked to see if there are any IPSec policies 
already configured that are useful for—or may interfere with—the IPSec policies that you plan 
to configure. Previously configured IKE and IPSec policies and details can and should be used, 
if possible, to save configuration time. However, they can make troubleshooting more difficult 
if problems arise. 


You can see if any IKE policies have previously been configured by using the show running- 
config command. You can also use the variety of show commands that are specific to IPSec. 
For example, you can use the show crypto isakmp policy command, shown in the figure, to 
examine IKE policies. 

RouterA# show crypto isakmp policy 

Default protection suite 


encryption algorithm: DES - Data Encryption Standard (56 
bit keys) 


hash algorithm: Secure Hash Standard 

authentication method: Rivest-Shamir-Adleman Signature 

Diffie-Hellman Group: #1 (768 bit) 

lifetime: 86400 seconds, no volume limit 
The default protection suite seen here is available for use without modification. You can also 


use the other available show commands covered in other lessons of this module to view IKE 
and IPSec configuration. 
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The show crypto map command shown in the figure is useful for viewing any previously 
configured crypto maps (crypto maps are covered in detail later in this module). Previously 
configured maps can and should be used to save configuration time. However, previously 
configured crypto maps can interfere with the IPSec policy that you are trying to configure. 


RouterA# show crypto map 

Crypto Map "mymap" 10 ipsec-isakmp 
Peer = 172.30.2.2 
Extended IP access list 102 


access-list 102 permit ip host 172.30.1.2 host 
172.30.2.2 


Current peer: 172.30.2.2 


Security association lifetime: 4608000 kilobytes/3600 
seconds 


PFS (Y/N): N 
Transform sets={ mine, } 
You can also use the show crypto ipsec transform-set command to view previously 


configured transform sets. Previously configured transforms can, and should, be used to save 
configuration time. 


RouterA# show crypto ipsec transform-set mine 
Transform set mine: { esp-des } 


will negotiate = { Tunnel, }, 
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Step 4: Ensure That the Network Works 


This topic describes the commands that are used to ensure connectivity between IPSec peers. 


Step 4—Ensure That the Network Works 


Cisco RowerB 


RouterA # ping 172.30.2.2 172.2022 


5 | @ 


Remote user tte Gieots vevier Cisco 


Ciace Unified POX Firewall 
VPN client 


Ciscoe 
VPN Concentrator 
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Basic connectivity between peers must be checked before you begin configuring IPSec. 


The router ping command can be used to test basic connectivity between IPSec peers. While a 
successful Internet Control Message Protocol (ICMP) echo (ping) will verify basic connectivity 
between peers, you should ensure the network works with any other protocols or ports you 
want to encrypt, such as Telnet, FTP, or SQL*NET before beginning IPSec configuration. 


After IPSec is activated, basic connectivity troubleshooting can be difficult because the security 
configuration may mask a more fundamental networking problem. Previous security settings 
could result in no connectivity. 


Note The ping command may be limited by access lists. 


Copyright © 2004, Cisco Systems, Inc. Virtual Private Networks 5-71 


Step 5: Ensure That Access Lists Are Compatible 
with IPSec 
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This topic describes how to ensure that access lists are compatible with IPSec. 


Step 5—Ensure That Access Lists Are 
Compatible with IPSec 


—i— 


EO 172.30.1.2 E0V1 172.30,.2.2 


RouterA®# show access -lists 


access ~lizt 102 permit ahp host i722. -2.2 Bost 172.30.1.2 
access-list 102 permit cop host 172. .2.2 host 172.30.1.2 


aocess “list 102 percmit udp hoet 172.30.2.2 host 172.30.1.2 eg 
Lsakmp 


* Ensure that protocols 50 and 51, and UDP port 500 traffic are 
not blocked at interfaces used by IPSec. 
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You will need to ensure that existing ACLs on perimeter routers, firewalls, or other routers do 
not block IPSec traffic. Perimeter routers typically implement a restrictive security policy with 
ACLs, where only specific traffic is permitted and all other traffic is denied. Such a restrictive 
policy blocks IPSec traffic. Therefore, you must add specific permit statements to the ACL to 
allow IPSec traffic. 


Ensure that your ACLs are configured so that ISAKMP, ESP, and AH traffic is not blocked at 
interfaces used by IPSec. ISAKMP uses User Datagram Protocol (UDP) port 500. ESP is 
assigned IP protocol number 50, and AH is assigned IP protocol number 51. In some cases, you 
may need to add a statement to router ACLs to explicitly permit this traffic. You may need to 
add the ACL statements to the perimeter router by performing these steps: 


Step 1 Examine the current ACL configuration at the perimeter router and determine if it 
will block IPSec traffic: 


RouterA# show access-lists 
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Step 2 Add ACL entries to permit IPSec traffic. To do this, copy the existing ACL 
configuration and paste it into a text editor as follows: 


Ls 
2: 
3: 
4. 
5. 


Copy the existing ACL configuration and paste it into a text editor. 


Add the ACL entries to the top of the list in the text editor. 


Delete the existing ACL with the no access-list access-list number command. 


Enter configuration mode and copy and paste the new ACL into the router. 


Verify that the ACL is correct with the show access-lists command. 


A concatenated example showing ACL entries permitting IPSec traffic for RouterA is as 


follows: 


RouterA# show running-config 


interface Serial0/1 


ip address 172.30.1.2 255.255.255.0 


ip access-group 102 in 


access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2 


access-list 102 permit esp host 172.30.2.2 host 172.30.1.2 


access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq 
isakmp 


Note that the protocol keyword of esp equals the ESP protocol (number 50), the keyword of 
ahp equals the AH protocol (number 51), and the isakmp keyword equals UDP port 500. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
ee ee ere ac LOO | 


* Determine the IKE policy details to enable the 
selected authentication method, and then 
configure it. 


° An IKE policy defines a combination of security 
parameters used during the IKE negotiation. 


° It is important to identify the IPSec that peer the 
Cisco router will communicate with. 


¢ The current Cisco router configuration should be 
checked to see if there are any IPSec that policies 
already configured that are useful for, or may 
interfere with, the IPSec that policies you plan to 
configure. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


Q6) 


Q7) 


What is the purpose of examining the access lists when preparing for IKE and IPSec? 


A) to enforce VPN security 


B) to make sure VPN security is not blocked by an access list 
C) to show which interfaces are serial interfaces 
D) to implement unused security policies 


Which key distribution method is most effective for a number of VPN users? 


A) preshared keys 


B) a network administrator PDA 
C) hashing 
D) certification authorities 


Which transform type is most secure? 

A) ah-sha-hmac 

B) ah-md5-hmac 

C) esp-null 

D) esp-des 

It is not necessary to define a transform set when determining IPSec policy. 


A) true 
B) false 


Which of the following devices may NOT be an IPSec peer? 

A) a PC with a VPN client 

B) a Cisco network switch 

C) a Cisco router 

D) a VPN concentrator 

The show crypto map command will not define the peer of the map. 
A) true 

B) false 

IPSec implementation makes basic troubleshooting difficult because 
A) there are many commands to memorize 


B) analyzing packets may be difficult if they are encrypted 


C) it applies access lists that block traffic with the implicit deny command 
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Q8) Which of the following does NOT need to be allowed through an access list to ensure 
that a VPN will function? 


A) protocol 50 
B) protocol 51 
C) UDP port 500 
D) UDP port 53 
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Quiz Answer Key 


Ql) B 

Relates to: IKE Creation and IPSec Security Policy 
Q2) D 

Relates to: Step 1: Determine IKE (IKE Phase 1) Policy 
Q3) D 

Relates to: IPSec Transforms Supported in Cisco IOS Software 
Q4)  B 

Relates to: IPSec Policy Example 
Q5)  B 

Relates to: IPSec Peers 
Qo) B 

Relates to: Step 3: Check Current Configuration 
Q7) B 

Relates to: Step 4: Ensure That the Network Works 
Q8)  D 


Relates to: Step 5: Ensure That Access Lists Are Compatible with IPSec 
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Task 2: Configuring IKE 


Overview 


The next major task in configuring Cisco IOS IPSec is to configure the IKE parameters that 
you gathered earlier. This lesson describes the steps that are used to configure IKE policies. 


Relevance 


A major task in configuring IPSec is to configure the proper IKE parameters that are used in 
IKE policies. 


Objectives 
Upon completing this lesson, you will be able to: 
m™ List the steps to configure IKE 
m= Identify the command that is used to enable or disable ISAKMP 
m Identify the command that is used to define an IKE policy 
m Identify the command that is used to set ISAKMP parameters 
m™ Describe the process and commands in IKE policy negotiation 
m Identify the command that is used to configure the ISAKMP identity 
m Identify the command that is used to configure a preshared authentication key 


m Identify the command to verify IKE configuration 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m= All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 
This lesson includes these topics: 
m Overview 
m IKE Configuration 
m™ Step 1: Enable or Disable IKE 
m Step 2: Create IKE Policies 
m™ IKE Policy Creation with the crypto isakmp Command 
m IKE Policy Negotiation 
m Step 3: Configure ISAKMP Identity 
m Step 4: Configure Preshared Keys 
m Step 5: Verify IKE Configuration 
= Summary 


B Quiz 
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IKE Configuration 


This topic describes the steps that are required to configure IKE. 


Task 2—Configure IKE 
rr EE, ee 


Task 1 — Prepare for IKE and IPSec 
Task 2 — Configure IKE 
Step 1—Enable or disable IKE. 
crypto isakmp enable 
Step 2—Create IKE policies. 


crypto isakmp policy 
Step 3—Configure ISAKMP 
crypto isakmp identity 
Step 4—Configure preshared keys. 
crypto isakmp key 
Step 5—Verify the IKE configuration. 
show crypto isakmp policy 
Task 3 — Configure IPSec 
Task 4 - Test and Verify IPSec 


BCRAN v2.15-2 


Configuring IKE consists of these essential steps and commands: 

Step 1 Enable or disable IKE with the crypto isakmp enable command. 

Step 2 Create IKE policies with the crypto isakmp policy commands. 

Step 3 Configure preshared keys with the crypto isakmp key and associated commands. 


Step 4 Verify the IKE configuration with the show crypto isakmp policy command. 
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Step 1: Enable or Disable IKE 


This topic describes the command that is used to enable or disable IKE. 


Step 1—Enable IKE 


Host A 


10.0.1.3 


V723012 172.022 


Router A crypto isakmp enable 


* Globally enables or disables IKE at your router. 

« IKE is enabled by default. 

« IKE is enabled globally for all interfaces at the router. 

« Use the no form of the command to disable IKE. 

« An ACL can be used to block IKE on a particular interface. 
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The first step in configuring IKE is to enable or disable ISAKMP, thereby enabling or disabling 
IKE. ISAKMP, and consequently IKE, is globally enabled and disabled with the crypto 


isakmp enable command. ISAKMP is enabled by default. Use the no form of the command to 
disable ISAKMP. 


Although ISAKMP does not have to be enabled for individual interfaces, it is enabled globally 
for all interfaces at the router. You may choose to block ISAKMP access on interfaces that are 


not used for IPSec to prevent possible denial of service attacks by using an ACL statement that 
blocks UDP port 500 on the interfaces. 
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Step 2: Create IKE Policies 


This topic describes the command that is used to create an IKE policy. 


Step 2—Create IKE Policies 


Host A 


j RouterA 
10.0.1.3 


V723012 172.022 


router(config) # 
crypto isakmp policy priority 


« Defines an IKE policy, which is a set of parameters used 
during IKE negotiation. 


* Invokes the config-isakmp command mode. 


RouterA ( config )# crypto isakmp policy 110 


The next major step in configuring Cisco IOS ISAKMP support is to define a suite of ISAKMP 
policies. The goal of defining a suite of IKE policies is to establish ISAKMP peering between 
two IPSec endpoints. Use the IKE policy details that you gathered during the planning task. 


Use the crypto isakmp policy command to define an IKE policy. IKE policies define a set of 
parameters that are used during the IKE negotiation. Use the no form of this command to delete 
an IKE policy. The command syntax and parameter definition is shown in the table. 


crypto isakmp policy priority 


crypto isakmp policy priority Command Parameter 


Parameter 


Description 


priority Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer 


from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest. 


This command invokes the ISAKMP policy configuration (config-isakmp) command mode. 


Note Assign the most secure policy the lowest priority number so that the most secure policy will 
find a match before any less-secure policies are configured. 
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IKE Policy Creation with the crypto isakmp 
Command 


5-84 


This topic describes the command that is used to set ISAKMP parameters. 


Create IKE Policies with the 
crypto isakmp Command 


Site 2 
Rowers 


Internet 4 


172.90.22 wars 


router(config) # 


crypto isakmp policy priority 


« Defines the parameters within the IKE policy 110. 


RouterA(config)# crypto isakmp policy 110 
RouterA(config-isakmp) # authentication pre-share 
RouterA(config-isakmp)# encryption des 
RouterA(config-isakmp) # group 1 
RouterA(config-isakmp) # hash md5 
RouterA(config-isakmp) # lifetime 86400 
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The crypto isakmp policy command invokes the ISAKMP policy configuration command 
mode (config-isakmp) where you can set ISAKMP parameters. If you do not specify one of 
these commands for a policy, the default value will be used for that parameter. The table lists 
the keywords available to specify the parameters in the policy while you are in the config- 
isakmp command mode. 
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Keywords for ISAKMP Parameters 


Parameter Keyword Accepted Values Default Value | Description 
Encryption des 56-bit DES-CBC des Message encryption 
algorithm. 
aes 128-bit AES 
aes 192 192-bit AES 
aes 256 256-bit AES 
Hash sha SHA-1 (HMAC variant) sha Message integrity 
(Hash) algorithm. 
md5 MD5 (HMAC variant) 
Authentication | rsa-sig RSA signatures rsa-sig Peer authentication 
method. 
rsa-encr RSA encrypted nonces 
pre-share preshared keys 
Group 1 768-bit Diffie-Hellman or | 1 Key exchange 
parameters (Diffie- 
2 1024-bit Diffie-Hellman Hellman group 
identifier). 
Lifetime seconds Can specify any number | 86,400 sec ISAKMP-established 
of seconds (one day) SA lifetime. You can 
usually leave this 
value at the default. 
exit Exits the config- 


isakmp mode. 


Multiple ISAKMP policies can be configured on each peer participating in IPSec. ISAKMP 
peers negotiate acceptable ISAKMP policies before agreeing upon the SA to be used for IPSec. 


Virtual Private Networks 5-85 


Copyright © 2004, Cisco Systems, Inc. 


IKE Policy Negotiation 


5-86 


This topic describes the processes and commands in IKE policy negotiation. 


IKE Policy Negotiation 


HostA Host 8 
RouterA RouterB f 

| Internet ee 
7 } 

10.0143 16.02.35 


RouterA (config # 


oFypte icakep policy 100 ©Orypro ieakep policy 100 
hash md5 hash ad5 
authentication pre ~- share authentication pre ~ share 
crypto isakmp policy 200 erypto isakmp policy 200 
authentication ssa - sig authentication cea ~ sig 
hash she hash sha 
oOrypte icakep policy 300 orypto isskep policy 300 
authentication pre - share authentication rsa - sig 


hash a5 


* The first two policies in each router can be successfully negotiated while the 
last one can not. 
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ISAKMP peers negotiate acceptable ISAKMP policies before agreeing upon the SA to be used 
for IPSec. 


When the ISAKMP negotiation begins in IKE Phase 1 main mode, ISAKMP looks for an 
ISAKMP policy that is the same on both peers. The peer that initiates the negotiation sends all 
of its policies to the remote peer, and the remote peer tries to find a match with its policies. The 
remote peer looks for a match by comparing its own highest priority policy against the other 
peer received policies in its ISAKMP policy suite. The remote peer checks each of its policies 
in order of its priority (highest priority first) until a match is found. 


A match is made when both policies from the two peers contain the same encryption, hash, 
authentication, Diffie-Hellman parameter values, and when the policy of the remote peer 
specifies a lifetime less than or equal to the lifetime of the policy being compared. If the 
lifetimes are not identical, the shorter lifetime from the remote peer policy is used. Assign the 
most secure policy the lowest priority number so that the most secure policy will find a match 
before any less secure policies are configured. 


If an acceptable match is not found, ISAKMP refuses negotiation and IPSec is not established. 
If a match is found, ISAKMP completes the main mode negotiation, and IPSec SAs are created 
during IKE Phase 2 quick mode. 
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Step 3: Configure ISAKMP Identity 


This topic describes the command that is used to configure the ISAKMP identity. 


Step 3—Configure ISAKMP coneny 


router(config) # 


172.30.1.2 1723022 


crypto isakmp identity {address | hostname} 


* Defines whether ISAKMP identity is done by IP address or 


hostname. 


« Use consistently across ISAKMP peers. 
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IPSec peers authenticate each other during ISAKMP negotiations by using the preshared key 
and the ISAKMP identity. The identity can either be the IP address or the host name of the 
router. Cisco IOS software uses the IP address identity method by default. A command 
indicating the address mode does not appear in the router configuration. 


If you choose to use the host name identity method, you must specify the method with the 
crypto isakmp identity global configuration command. Use the no form of this command to 
reset the ISAKMP identity to the default value (address). The command syntax and parameter 
definitions are as follows: 


crypto isakmp identity {address | hostname} 


crypto isakmp identity (address | hostname) Command 


crypto isakmp 
identity Command 


Description 


address Sets the ISAKMP identity to the IP address of the interface that is used to 
communicate to the remote peer during ISAKMP negotiations. 
The keyword is typically used when there is only one interface that will be used 
by the peer for ISAKMP negotiations, and the IP address is known. 
hostname Sets the ISAKMP identity to the host name concatenated with the domain name 


(for example, myhost.domain.com). 


The keyword should be used if there is more than one interface on the peer that 
might be used for ISAKMP negotiations, or if the interface IP address is 
unknown (such as with dynamically-assigned IP addresses). 


Copyright © 2004, Cisco Systems, Inc. 


Virtual Private Networks 5-87 


If you use the host name identity method, you may need to specify the host name for the remote 
peer if a DNS server is not available for name resolution. An example of this follows: 


RouterA (config) # ip host RouterB.domain.com 172.30.2.2 
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Step 4: Configure Preshared Keys 


This topic describes the command that is used to configure a preshared authentication key. 


Step 4—Configure Preshared nove 
Internet a 
10.0.1.3 172.30.1.2 10.0.23 


Preshared Key 
Ciscoi2z34 3s 172,30,2.2 


router(config) # 


crypto isakmp key keystring address peer-address 


RouterA(config)# crypto isakmp key ciscol234 
address 172.30.2.2 


« Assigns a keystring and the peer address. 
« The peer IP address or hostname can be used. 
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Configure a preshared authentication key with the crypto isakmp key global configuration 
command. You must configure this key whenever you specify preshared keys in an ISAKMP 
policy. Use the no form of this command to delete a preshared authentication key. The 
command syntax parameter definitions are as follows: 


crypto isakmp key keystring address peer-address 


crypto isakmp key keystring hostname peer-hostname 


crypto isakmp key Command Arguments 


cyrpto isakmp key Description 
keystring Command 


keystring Specify the preshared key. Use any combination of alphanumeric characters 
up to 128 bytes. This preshared key must be identical at both peers. 

peer-address Specify the IP address of the remote peer. 

hostname Specify the host name of the remote peer. This is the peer host name 


concatenated with its domain name (for example, myhost.domain.com). 


Note A given preshared key is shared between two peers. At a given peer, you can specify the 
same key to share with multiple remote peers; however, a more secure approach is to 
specify different keys to share between different pairs of peers. 
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The following configuration example shows ISAKMP and preshared keys for routerA and 
routerB. Note that the keystring of cisco1234 matches. The address identity method is 
specified. The ISAKMP policies are compatible. Default values do not have to be configured. 


RouterA (config) # crypto isakmp key ciscol234 address 
172.30.2.2 


RouterA (config) # crypto isakmp policy 110 
RouterA (config-isakmp)# hash md5 
RouterA (config-isakmp)# authentication pre-share 


RouterA (config-isakmp) # exit 


RouterB (config) # crypto isakmp key cisco1234 address 
172.30.1.2 


RouterB (config) # crypto isakmp policy 110 
RouterB (config-isakmp)# hash md5 
RouterB (config-isakmp)# authentication pre-share 


RouterB (config-isakmp) # exit 
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Step 5: Verify IKE Configuration 


This topic describes the command that is used to verify IKE configuration. 


Step 5—Verify IKE Configuration 


coutecAt show orypte iaakep poliay 

Pectection suite of priority 110 
enaryption algosiths DES -Datea Encryption Itandard (50 bit keys} . 
bash aigoed clue: Hesseage bigest & 
anthantiscatien mathsd: ira - Sharad Key 
Diffie-Hellman greup: 41 (768 Bit) 
lifetine 86400 seconds, mo wolure limt 

Default provecticn susie 
onoryption algorithna DES= Dats Enoryptics Standard (56 bit boys). 
hash aigorithn: Secure Bash Standaré 
authentication method: Rivest -Shamir Adlessn Giqnatece 
Biffie—Sellean geeup: @l (7ER bit» 


lifetine: 26400 eeconds, oo wolucw list 


* Displays configured and default IKE policies. 
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You can use the show crypto isakmp policy command to display configured and default 
policies. The resultant ISAKMP policy for routerA is shown in the output here and in the 
figure. RouterB configuration is identical. 

RouterA# show crypto isakmp policy 


Protection suite of priority 110 


encryption algorithm: DES - Data Encryption Standard (56 bit keys). 


hash algorithm: Message Digest 5 
authentication method: Pre-Shared Key 

Diffie-Hellman group: #1 (768 bit) 

lifetime: 86400 seconds, no volume limit 


Default protection suite 


encryption algorithm: DES - Data Encryption Standard (56 bit 
keys) . 


hash algorithm: Secure Hash Standard 
authentication method: Rivest-Shamir-Adleman Signature 
Diffie-Hellman group: #1 (768 bit) 


lifetime: 86400 seconds, no volume limit 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
ee ee nas OO] 


* Configuring IKE consists of several essential steps 
and commands. 


¢ Configure IKE to enable or disable ISAKMP with 
the crypto isakmp enable command. 


* Use the crypto isakmp policy command to define an 
IKE policy. 


° ISAKMP peers negotiate acceptable ISAKMP 
policies before agreeing upon the SA to be used 
for IPSec. 


° IPSec peers authenticate each other during 
ISAKMP negotiations using the preshared key and 
the ISAKMP identity. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


Q6) 


Which command enables IKE? 

A) crypto isakmp enable 

B) crypto isakmp policy 

C) crypto isakmp key 

D) show crypto isakmp policy 

The crypto isakmp enable command is defined on a per-interface basis. 
A) true 

B) false 

Crypto isakmp policies are read in descending order of priority. 

A) true 

B) false 

What types of authentication methods cannot be used by Cisco IOS ISAKMP peers? 
A) token cards 

B) RSA signatures 


C) RSA nonces 
D) preshared keys 


If two identical isakmp policies are not configured on potential IPSec partners, what 


happens? 

A) The peers negotiate on all other parameters and use the defaults for dissimilar 
elements. 

B) The peers refuse to negotiate and do not continue building an IPSec tunnel. 

C) The peers build an IPSec tunnel but there is a risk that the traffic will not be 
encrypted. 

D) The peers are forced to reboot and search their startup configuration. 


If there is no DNS server available in the network, you may NOT use the crypto 
isakmp identity hostname command. 


A) true 
B) false 
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Q7) | What command is used to identify the preshared key? 
A) crypto isakmp key key address peer-address 
B) crypto isakmp pre-share key address peer-address 
C) crypto ipsec key key address peer-address 
D) crypto ipsec pre-share key address peer-address 
Q8) The show crypto isakmp policy command displays all of the information below 
except 
A) hash algorithm 
B) encryption algorithm 
C) authentication method 


D) interface-type number 
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Quiz Answer Key 


Ql) A 

Relates to: IKE Configuration 
Q2) B 

Relates to: Step 1: Enable or Disable IKE 
Q3)  B 

Relates to: Step 2: Create IKE Policies 
Q4) A 

Relates to: IKE Policy Creation with the crypto isakmp Command 
Q5) B 

Relates to: IKE Policy Negotiation 
Q6) B 

Relates to: Step 3: Configure ISAKMP Identity 
Q7) A 

Relates to: Step 4: Configure Preshared Keys 
Q8)  D 


Relates to: Step 5: Verify IKE Configuration 
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Task 3: Configuring IPSec 


Overview 


The next major task in configuring Cisco IOS IPSec is to configure the IPSec parameters that 
you previously gathered. This lesson describes the steps that are used to configure IPSec. 


Relevance 


It is important to understand and properly configure all of the necessary features of IPSec. 


Objectives 
Upon completing this lesson, you will be able to: 
m= List the steps to configure IPSec encryption on Cisco routers 
m™ Describe the process of configuring Cisco IOS IPSec to define a transform set objective 
m™ Describe the process of transform set negotiation 
m™ Describe how to configure global SAs 
m Describe how to configure crypto ACLs 


m™ Describe the process of using crypto ACLs to identify traffic flows that need to be 
protected 


m= Describe how to configure symmetric crypto ACLs for use by IPSec 


m= Define the purpose of crypto maps, examining the crypto map command and example 
crypto maps 


m™ Describe the use of crypto maps and their parameters 
m™ Provide an example of the use of IPSec on two routers 


m Provide an example of configuring IPSec to apply the crypto map set to an interface 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the /ntroduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the /nterconnecting Cisco Network Devices (ICND) course 


Outline 


This lesson includes these topics: 

m Overview 

m IPSec Configuration 

m= Step 1: Configure Transform Set Suites 

m Set Negotiation Transformation 

m= Step 2: Configure Global IPSec Security Association Lifetimes 
m™ Crypto Access Lists Functionality 

m Step 3: Create Crypto ACLs Using Extended Access Lists 
m= Symmetric Peer Crypto Access Lists Configuration 

= Crypto Maps Functionality 

m™ Crypto Map Parameters 

m Step 4: Configure IPSec Crypto Maps 

= Crypto Map Commands Example 

m Step 5: Apply Crypto Maps to Interfaces 

m IPSec Configuration Examples 

= Summary 


B Quiz 
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IPSec Configuration 


This topic describes the steps that are used to configure IPSec encryption on Cisco routers. 


Task 3—Configure IPSec 
ar Ee, ae 
Task 1 — Prepare for IKE and IPSec 
Task 2 — Configure IKE 
Task 3 — Configure IPSec 
Step 1—Configure transform set suites 
crypto ipsec transform-set 


Step 2—Configure global IPSec SA lifetimes 


crypto ipsec security-association 
lifetime 


Step 3—Create crypto ACLs using extended access lists 
crypto map 
Step 4—Configure IPSec crypto maps 
Step 5—Apply crypto maps to interfaces 
crypto map map-name 
Task 4 — Test and Verify IPSec 
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Configuring IPSec consists of these essential steps and commands: 
Step 1 Configure transform set suites with the crypto ipsec transform-set command. 


Step 2 If it is necessary to change the default, configure global IPSec security association 
lifetimes with the crypto ipsec security-association lifetime command. 


Step 3 Configure crypto ACLs with the access-list command. 
Step 4 Configure crypto maps with the crypto map command. 


Step 5 Apply the crypto maps to the terminating or originating interface with the interface 
and crypto map commands. 
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Step 1: Configure Transform Set Suites 


This topic describes the first major step in configuring Cisco IOS IPSec, using the IPSec 
security policy to define a transform set. 


Step 1—Configure Transform Sets 


router(config) # 


erypto ipsec transform -set transform -set-name 
transforml [transform2 [transform3]] 
router (cfg-crypto -trans) # 


« A transform set is a combination of IPSec transforms that enact a security 
policy for traffic. 


* Sets are limited to up to one AH and up to two ESP transforms. 
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A transform set is a combination of individual IPSec transforms that are designed to enact a 
specific security policy for traffic. During the ISAKMP IPSec SA negotiation that occurs in 
IKE Phase 2 quick mode, the peers agree to use a particular transform set for protecting a 
particular data flow. Transform sets combine these IPSec factors: 


™ Mechanism for payload authentication: AH transform 

= Mechanism for payload encryption: ESP transform 

m IPSec mode (transport versus tunnel) 

Transform sets equal a combination of an AH transform, an ESP transform, and the IPSec 
mode (either tunnel or transport mode). Transform sets are limited to one AH transform and 
one or two ESP transforms. Define a transform set with the crypto ipsec transform-set global 


configuration command. To delete a transform set, use the no form of the command. The 
command syntax and parameter definitions are as follows: 


crypto ipsec transform-set transform-set-name transforml 
[transform2 [transform3] ] 
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crypto ipsec transform-set Command Parameters 


Command Description 

trans form-set-name Specifies the name of the transform set to create (or modify). 
transforml1, Specifies up to three transforms. These transforms define the 
transform2, transform3 IPSec security protocol(s) and algorithm(s). 


The command invokes the crypto-transform configuration mode. 


You can configure multiple transform sets and then specify one or more of the transform sets in 
a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec SA 
negotiation to protect the data flows specified by the ACL of that crypto map entry. During the 
negotiation, the peers search for a transform set that is the same at both peers. When such a 
transform set is found, it is selected and applied to the protected traffic as part of the IPSec SAs 
of both peers. 


When ISAKMP is not used to establish SAs, a single transform set must be used. The transform 
set is not negotiated. 


Edit Transform Sets 


Use these steps if you must edit a transform set: 

Step 1 Delete the transform set from the crypto map. 

Step 2 Delete the transform set from global configuration. 
Step 3 Reenter the transform set with corrections. 

Step 4 Assign the transform set to a crypto map. 

Step 5 Clear the SA database. 


Step 6 Observe the SA negotiation and ensure that it works properly. 
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Set Negotiation Transformation 


This topic describes the process of transform set negotiation. 


Transform Set Negotiation 
ee eee HE OE | 


Host A Host B 


RouterA Router 
Sy tere 
10.0.1.3 10.0.2.3 


transform -set to transform «sect 40 
esp -3des @6p-fes 
tunnel Me tunnel 


transform ~-set 20 = transform - set 40 
e5p-des, esp -mdS-hmac Ne esp-des. ah -sha -hmac 
tunnel pe tunnel 


transform - set 30 ee transform - set 60 
esp-3des, esp - sha- hmac e5p-Ides, esp - sha - mac 
tunnel a tunnel 


* Transform sets are negotiated during IKE Phase 2. 
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Transform sets are negotiated during quick mode in IKE Phase 2 using the transform sets that 
you previously configured. You can configure multiple transform sets and then specify one or 
more of the transform sets in a crypto map entry. Configure the transforms from most to least 
secure, according to your policy. The transform set defined in the crypto map entry is used in 
the IPSec SA negotiation to protect the data flows that are specified by the ACL of that crypto 


map entry. 


During the negotiation, the peers search for a transform set that is the same at both peers, as 
illustrated in the figure. Each of the RouterA transform sets are compared against each of the 
RouterB transform sets in succession. RouterA transform sets 10, 20, and 30 are compared with 
RouterB transform set 40. The result is no match. All of RouterA transform sets are then 
compared against RouterB transform sets. Finally, RouterA transform set 30 matches RouterB 
transform set 60. When such a transform set match is found, it is selected and is applied to the 
protected traffic as part of the IPSec SAs of both peers. IPSec peers agree on one unidirectional 
transform proposal per SA. 
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Step 2: Configure Global IPSec Security 
Association Lifetimes 


This topic describes how to configure global SAs. Both global and interface-specific SA 
lifetimes can be created. 


Step 2—Configure Global 
IPSec Security Association Lifetimes 


Host A Host 6 


| RouterA Routers j 
—* 5 =f 


Internet 
10.0.1.3 10.0.2.3 


router(config) # 


erypto ipsec security -association lifetime 
{seconds seconds | kilobytes kilobytes 


RouterA (config)# crypto ipsec security - association 
lifetime 86400 


Configures global IPSec SA lifetime values used when negotiating IPSec 
security associations. 


IPSec SA lifetimes are negotiated during IKE Phase 2. 


Can optically configure interface-specific IPSec SA lifetimes in 
crypto maps. 


IPSec SA lifetimes in crypto maps override global IPSec SA lifetimes. 


The IPSec SA lifetime determines how long IPSec SAs remain valid before they are 
renegotiated. Cisco IOS software supports a global lifetime value that applies to all crypto 
maps. The global lifetime value can be overridden with a crypto map entry. You can change 
global IPSec SA lifetime values using the crypto ipsec security-association lifetime global 
configuration command. To reset a lifetime to the default value, use the no form of the 
command. The command syntax and parameter definitions are as follows: 


crypto ipsec security-association lifetime {seconds seconds | 
kilobytes kilobytes} 


crypto ipsec security-association lifetime Command 


Command Description 


seconds seconds Specifies the number of seconds a security association will live 
before expiring. The default is 3600 sec (one hour). 


kilobytes kilobytes Specifies the volume of traffic (in kilobytes) that can pass 
between IPSec peers using a given SA before that SA expires. 
The default is 4,608,000 KB. 


Cisco recommends that you use the default lifetime values. Individual IPSec SA lifetimes can 
be configured using crypto maps, which are covered later in this lesson. 
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Crypto Access Lists Functionality 


This topic describes the purpose of crypto ACLs. Crypto ACLs are used to define which IP 
traffic is or is not protected by IPSec. 


Purpose of Crypto Access Lists 


Host A 


RouterA 
——_— Internet 
— 


Outbound Encrypt 
Bypass (clear text) 


Permit 
Bypass 


Discard (clear text) 


Outbound indicates the data flow to be protected by IPSec. 


Inbound filters out and discards traffic that should have been 
protected by IPSec. 
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Crypto ACLs perform these functions: 


= Outbound: Selects outbound traffic to be protected by IPSec. Traffic not selected is sent in 
clear text. 


= Inbound: If desired, inbound access lists can be created to filter and discard traffic that 
should have been protected by IPSec. 
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Step 3: Create Crypto ACLs Using Extended 


Access Lists 


This topic describes the process of using crypto ACLs to identify traffic flows that must be 


protected. 


Step 3—Create Crypto ACLs using 
Extended Access Lists 


Hosta 


RouterA Routers 
| Internet a? : 
0.013 100.23 


10.0.1.0 —— Encrypt ————> 100.20 


rouler|contgi 


aconan -liet acoesa - Liat 


[taseout nanutes a 


-nurdber [dynamio dynesic - nase 
deny | permati protece. sevurce 


ecusce ~ wiaicosrd destanatacn destamatace = waldosrd 
[precedence pracadancea) (tsa tes) [leg] 


RoutearA ({canfig )# aceass - list 110 paremit tep 10.0.1.0 
©.0.0.255 10.0.2.0 0.0.0.255 


¢ Define which IP traffic will be protected by crypto. 


¢ Permit = encrypt / Deny = do not encrypt. 


The crypto ACLs identify the traffic flows that should be protected. Extended IP ACLs select 
IP traffic to encrypt by using protocol, IP address, network, subnet, and port. Although the 
ACL syntax is unchanged from extended IP ACLs, the meanings are slightly different for 
crypto ACLs. That is, permit specifies that matching packets must be encrypted and deny 
specifies that matching packets must not be encrypted. Crypto ACLs behave similarly to an 
extended IP ACL that is applied to outbound traffic on an interface. 


The command syntax and parameter definitions for the basic form of extended IP access lists 


are as follows: 


access-list access-list-number { permit | deny } protocol 


source 


source-wildcard destination destination-wildcard [precedence 
precedence] [tos tos] [log] 


access-list access-list-number Command 


access-list access-list-number 


Description 


Command 

permit Causes all IP traffic that matches the specified conditions to be 
protected by crypto, using the policy described by the 
corresponding crypto map entry. 

deny Instructs the router to route traffic in the clear. 


source and destination 


These are networks, subnets, or hosts. 
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Note Although the ACL syntax is unchanged, the meanings are slightly different for crypto ACLs. 


That is, permit specifies that matching packets must be encrypted and deny specifies that 
matching packets must not be encrypted. 


Any unprotected inbound traffic that matches a permit entry in the crypto ACL for a crypto 
map entry that is flagged as IPSec will be dropped. This drop occurs because this traffic was 
expected to be protected by IPSec. 


If you want certain traffic to receive one combination of IPSec protection (authentication only) 
and other traffic to receive a different combination (both authentication and encryption), create 
two different crypto ACLs to define the two different types of traffic. These different ACLs are 
then used in different crypto map entries that specify different IPSec policies. 


Warning Cisco recommends that you avoid using the any keyword to specify source or destination 
addresses. The permit any any statement is strongly discouraged because this will cause 
all outbound traffic to be protected and all protected traffic to be sent to the peer that is 
specified in the corresponding crypto map entry. Then, all inbound packets that lack IPSec 
protection will be silently dropped, including packets for routing protocols, NTP, echo, echo 
response, and so on. 


Try to be as restrictive as possible when defining which packets to protect in a crypto ACL. If 
you must use the any keyword in a permit statement, you must preface that statement with a 
series of deny statements to filter out any traffic (that would otherwise fall within that permit 
statement) that you do not want to be protected. 


Later in Step 4, you will associate a crypto ACL to a crypto map, which in turn is assigned to a 
specific interface. 
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Symmetric Peer Crypto Access Lists 
Configuration 


This topic describes how to configure symmetric crypto ACLs for use by IPSec. 


Configure Symmetric Peer Crypto 
Access Lists 


Hosta Host B 


RouterA Routers 
met SH 
10.013 100.23 


E0/t 172.30.1.2 EOH 172..22 


RouterA ( config) ® sccess last 110 permit tcp 
10,.0.1.9 0.0,.9,.255 409.0.27.0 ©.0.0.255 


Routers ( config) # ateess ~ list 101 permit tcp 
10,0.2.9 0,0.0.255 10.0.3.0 ©.0.0.255 


* You must configure mirror image ACLs. 


You must configure symmetric crypto ACLs for use by IPSec. Both inbound and outbound 
traffic are evaluated against the same outbound IPSec ACL. The ACL criteria are applied in the 
forward direction to traffic exiting your router, and the reverse direction to traffic entering your 
router. When a router receives encrypted packets back from an IPSec peer, it uses the same 
ACL to determine which inbound packets to decrypt by viewing the source and destination 
addresses in the ACL in reverse order. 


The example shown in the figure illustrates why symmetric ACLs are recommended. For site 1, 
IPSec protection is applied to traffic between hosts on the 10.0.1.0 network as the data exits the 
RouterA 0 interface enroute to site 2 hosts on the 10.0.2.0 network. For traffic from site 1 hosts 
on the 10.0.1.0 network to site 2 hosts on the 10.0.2.0 network, the ACL entry on RouterA is 
evaluated as follows: 


™ source = hosts on 10.0.1.0 network 

m™ destination = hosts on 10.0.2.0 network 

For incoming traffic from site 2 hosts on the 10.0.2.0 network to site 1 hosts on the 10.0.1.0 
network, that same ACL entry on RouterA is evaluated as follows: 

™ source = hosts on 10.0.2.0 network 


= destination = hosts on 10.0.1.0 network 


Copyright © 2004, Cisco Systems, Inc. Virtual Private Networks 5-107 


Crypto Maps Functionality 


This topic describes the purpose of crypto maps. It also examines the crypto map command 
and considers example crypto maps. Crypto map entries must be created for IPSec to set up 
SAs for traffic flows that must be encrypted. 


Purpose of Crypto Maps 


Crypto maps pull together the various parts 
configured for IPSec, including: 


¢ The traffic to be protected by IPSec and a set of SAs 
The local address to be used for the IPSec traffic 
The destination location of IPSec-protected traffic 
The IPSec type to be applied to this traffic 
The method of establishing SAs (manually or via RSA) 
Other parameters needed to define an IPSec SA 


Crypto map entries that are created for IPSec set up SA parameters, thus tying together the 
various parts that are configured for IPSec, including: 


= The traffic to be protected by IPSec and a set of SAs (crypto ACL): The access list 
defines the address, protocol, and port information for traffic that will be encrypted. 


= The local address to be used for the IPSec traffic: The source address specified by the 
access list and the crypto map peer define the local address for IPSec traffic. 


= The destination location of IPSec-protected traffic: The destination specified by the 
access list defines the identity of the remote IPSec peer. 


m= The type IPSec security applied to this traffic: The transform set applies the method of 
encryption and authentication. 


m= The method of SA establishment: This establishment may be completed manually 
(preshared) or through RSA. 


= Other: Other parameters that might be necessary to define an IPSec SA. 
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Crypto Map Parameters 


This topic describes the use of crypto maps and their parameters. 


Crypto Map Parameters 


Site 1 


$ j RouterA 
= a Internet Se = 
10.0.1.3 10.0.2.3 


Crypto maps define the following: 
* The access list to be used 
* Remote VPN peers 
* Transform set to be used 
* Key management method _7 Encrypted traffic 
* Security association lifetimes Router 


Interface 
or Subinterface 


You can apply only one crypto map set to a single interface. The crypto map set can include a 
combination of Cisco Encryption Technology (CET) and IPSec using IKE. Multiple interfaces 
can share the same crypto map set if you want to apply the same policy to multiple interfaces. If 
you create more than one crypto map entry for a given interface, use the sequence number 
(seg-num) of each map entry to rank the map entries; the lower the seq-num, the higher the 
priority. At the interface that has the crypto map set, traffic is evaluated against higher priority 
map entries first. 


You must create multiple crypto map entries for a given interface if any of these conditions 
exist: 


m= If different data flows are to be handled by separate IPSec peers. 


= Ifyou want to apply different IPSec security to different types of traffic (to the same or 
separate IPSec peers); for example, if you want traffic between one set of subnets to be 
authenticated, and traffic between another set of subnets to be both authenticated and 
encrypted. In this case, the different types of traffic should be defined in two separate 
ACLs, and you must create a separate crypto map entry for each crypto ACL. 


m= If you are not using IKE to establish a particular set of security associations, and you want 
to specify multiple ACL entries, you must create separate ACLs (one per permit entry) and 
specify a separate crypto map entry for each ACL. 
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Step 4: Configure IPSec Crypto Maps 


This topic describes the use of the IPSec crypto map command. 


Step 4—Configure IPSec Crypto maps 


Host A 


j RouterA 
10.0.1.3 | 


router(config)# 


« Use a different sequence number for each peer. 
¢ Multiple peers can be specified in a single crypto map for redundancy. 
« Use one crypto map per interface. 
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You must use the crypto map global configuration command to create or modify a crypto map 
entry and enter the crypto map configuration mode. Set the crypto map entries that reference 
dynamic maps to the lowest priority in a crypto map set (that is, they should have the highest 
sequence numbers). Use the no form of this command to delete a crypto map entry or set. The 
command syntax and parameter definitions are as follows: 

crypto map map-name seq-num cisco 

crypto map map-name seq-num ipsec-manual 

crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name] 


no crypto map map-name [seq-num] 
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crypto map map-name seq-num Command 


Command Description 

cisco (Default value) Indicates that CET will be used instead of IPSec 
for protecting the traffic specified by this newly specified crypto 
map entry. 

map-name The name you assign to the crypto map set. 

seq-num The number you assign to the crypto map entry. 


ipsec-manual 


Indicates that ISAKMP will not be used to establish the IPSec 
SAs for protecting the traffic specified by this crypto map entry. 


ipsec-isakmp 


Indicates that ISAKMP will be used to establish the IPSec SAs for 
protecting the traffic specified by this crypto map entry. 


Dynamic 


(Optional) Specifies that this crypto map entry references a 
preexisting static crypto map. If you use this keyword, none of the 
crypto map configuration commands are available. 


dynamic -map-name 


(Optional) Specifies the name of the dynamic crypto map set that 
should be used as the policy template. 


When you enter the config-crypto-map command, you invoke the crypto map configuration 
mode with the following available commands: 


router (config-crypto-map)# help 


match address [access-list-id | name] 


peer [hostname | ip-address] 


transform-set [set_name(s) ] 


security-association [inbound |outbound] 


set 


no 


exit 
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Crypto Map Commands Example 


This topic illustrates an example of a crypto map. 


Example Crypto Map Commands 


Host A 


0.0.1.3 


172.2042 


RouterAiconfig)# crypto map mymap 10 ipsec-isakep 
RouterA(comfig-crypto-™4Pp)@ match eddress 110 


RouterA(config~-crypto-map)! set 
RouterA(comfig-crypto-map)# set 
Reuterk (sanfigq=-crypen-nap)§ nat 
RouterA(comfig crypto caph® set 
RouterA(config-crypto-map)# set 


peer 172.30.2.2 

peer 172.30.3.2 

pf qeeapt 

transfcem set mize 

security - association lifetive seconds BMU0 |* 


« Multiple peers can be specified for redundancy. 
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The figure illustrates a crypto map with two peers specified for redundancy. If the first peer 
cannot be contacted, the second peer is used. There is no limit to the number of redundant peers 


that can be configured. 
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The crypto map command is used in crypto map configuration mode with the commands 


shown in the following table. 


config-crypto-map Command 


Command 


set 


Description 


Used with the peer, pfs, transform-set, and security- 
association commands. 


peer [hostname | ip- 
address] 


Specifies the allowed IPSec peer by IP address or hostname. 


pfs [groupl | group2] 


Specifies Diffie-Hellman Group 1 or Group 2. 


trans form-set 
[set name(s) ] 


Specify list of transform sets in priority order. For an ipsec- 
manual crypto map, you can specify only one transform set. For 
an ipsec-isakmp or dynamic crypto map entry, you can specify 
up to six transform sets. 


security-association 
lifetime 


Sets security association lifetime parameters in seconds or 
kilobytes. 


match address [access- 
list-id | name] 


Identifies the extended ACL by its name or number. The value 
should match the access-list-number or name argument of a 
previously defined IP-extended ACL being matched. 


no 


Used to delete commands entered with the set command. 


exit 


Exits crypto map configuration mode. 


After you define crypto map entries, you can assign the crypto map set to interfaces that use the 
crypto map (interface configuration) command. 


Note 


ACLs for crypto map entries tagged as ipsec-manual are restricted to a single permit entry, 


and subsequent entries are ignored. The SAs established by that particular crypto map entry 
are for a single data flow only. To be able to support multiple manually established SAs for 
different kinds of traffic, you must define multiple crypto ACLs and then apply each one to a 
separate ipsec-manual crypto map entry. Each ACL should include one permit statement 
that defines the traffic that it must protect. 
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Step 5: Apply Crypto Maps to Interfaces 


This topic describes the last step in configuring IPSec, which is to apply the crypto map set to 
an interface. 


Step 5—Applying Crypto Maps to Interfaces 


E0M 172.30.1.2 EON 1723022 


t 


mymap 


router(config-if)# 


RouterA (config)# interface ethernet0/1 
RouterA (config -if)# crypto map mymap 


« Apply the crypto map to outgoing interface 
* Activates the IPSec policy 


BCRAN v2.1—5-13 


Apply the crypto map to the interface of the IPSec router connected to the Internet with the 
crypto map command in interface configuration mode. Use the no form of the command to 
remove the crypto map set from the interface. The command syntax and parameter definition 


are as follows: 


crypto map map-name 


crypto map map-name Command 


Command Description 


This is the name that identifies the crypto map set, and is the 
name assigned when the crypto map is created. 
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IPSec Configuration Examples 


This topic illustrates an IPSec configuration example for two routers. 


IPSec Configuration Examples 


Ed 172.30,.1.2 


Rotor PF ahew wun degen ac 
crypts ipaee teansfermact mina esp <das 
! 

eryplo imap eyoap 10 ioews = Ls akmp 

AAR pear 172. 30.2.2 

set transiom - set 

mate address 110 

' 

ikeriece Bihernel as 

1p atkiewes DTH .SO.LLZe ESS. 

no ip dirested -Eroadeaat 

Crypto nap mynor 

' 


EON 172.20.2.2 


Kemi texkt & Me suneing-ooetlg 
erypte <psen crozafcrs ant mira asp- den 
! 


ceyple war ayasp 1 Lpews instep 
ner pear .72.9)...2 

se. transfore-set gine 

matoh acdcress 117 


crypts tap ryrep 
' 


socvess -liet 110 permit top 10 access — list 110 perest top Wy 
€.0.9.255 10.0.2.0 0.9.0.255 0.0.0.2S58 10.0.1.0 0.0.0.255 


Consider the configuration example for RouterA and RouterB in the figure and as follows. 


Note More complete commands relating to what has been covered so far in this lesson are shown 
in output. 


RouterA# show running-config 
crypto isakmp policy 100 

hash md5 

authentication pre-share 
crypto isakmp key ciscol1234 address 172.30.2.2 
! 
crypto ipsec transform-set mine esp-des 
! 

! 

crypto map mymap 10 ipsec-isakmp 

set peer 172.30.2.2 

set transform-set mine 

match address 110 

! 
interface Ethernet0/1 
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ip address 


172.30.1.2 255.255.255.0 


ip access-group 101 in 


crypto map 
! 

access-list 
access-list 


access-list 
isakmp 


access-list 
0.0.0.255 


access-list 


mymap 


101 permit ahp host 172.30.2.2 host 172.30.1.2 
101 permit esp host 172.30.2.2 host 172.30.1.2 
101 permit udp host 172.30.2.2 host 172.30.1.2 eq 


110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 


110 deny ip any any 


RouterB# show running-config 


crypto isakmp policy 100 


hash md5 


authentication pre-share 


crypto isakmp key ciscol234 address 172.30.1.2 


! 


crypto ipsec transform-set mine esp-des 


! 
! 


crypto map mymap 10 ipsec-isakmp 


set peer 172.30.1.2 


set transform-set mine 


match address 110 


! 


interface Ethernet0/1 


ip address 


172.30.2.2 255.255.255.0 


ip access-group 101 in 


crypto map mymap 


! 
access-list 
access-list 


access-list 
isakmp 


access-list 
0.0.0.255 


access-list 
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101 permit ahp host 172.30.1.2 host 172.30.2.2 


101 permit esp host 172.30.1.2 host 172.30.2.2 


101 permit udp host 172.30.1.2 host 172.30.2.2 eq 


110 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 


110 deny ip any any 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
eee can SMI P| 


° Configure transform set suites with the crypto ipsec 
transform-set command. 


* Configure global IPSec security association 
lifetimes with the crypto ipsec security-association 
lifetime command. 


* Configure crypto ACLs with the access-list 
command. 


* Configure crypto maps with the crypto map 
command. 


° Apply the crypto maps to the terminating and 
originating interface with the interface and crypto 
map commands. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


QI) 


Q2) 


Q3) 


Q4) 


QS) 


Q6) 


Q7) 


Configuring IPSec requires the user to create an IPSec list in place of an access list. 
A) true 

B) false 

A router must have only one transform set in its running configuration in order for 
IPSec to function properly. 

A) true 

B) false 


When are transform sets negotiated? 

A) on the initial router configuration 
B) during IKE Phase 1 

C) during IKE Phase 2 


D) transform sets do not need to be negotiated 


Crypto SA lifetimes may be configured either globally, or per SA. 
A) true 
B) false 


What is the function of a crypto ACL? 

A) defines the source IP address of the IPSec traffic 

B) defines the destination IP address of the IPSec traffic 

C) provides protocol information for traffic that will be encrypted 


D) all of the above 


The crypto access list takes the exact same form as an extended access list. 

A) true 

B) false 

Which statement correctly describes access lists that are used to define IPSec peers on 
routers sending and receiving to each other? 

A) They must be identical. 

B) They must be identical, but each router can also have other access lists. 

C) They do not need to be related. 


D) They must be mirror images of each other, but each router can also have other 
access lists. 
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Q8) Which of the following cannot be done by crypto maps? 
A) define destination traffic for IPSec 
B) define source traffic for IPSec 
C) define the number of IPSec conversations that a router can maintain 
D) specify the granularity of traffic protected by SAs 
Q9) — What is the number of crypto maps that can be created on an interface? 


A) 0; crypto maps are global 


B) 1 
C) 2 
D) an unlimited number of crypto maps 


Q10) Which of the following commands are optional commands when you are configuring 


IPSec crypto maps? 

A) sequence number 

B) dynamic dynamic map name 
C) map name 


D) IPSec tuning number 


Q11) The crypto map peer command may be either a hostname or an IP address. 
A) true 
B) false 
Q12) Crypto maps must be applied to interfaces based on the map name interface number. 
A) true 
B) false 


Q13) Based on the access lists, ping (ICMP) traffic will be allowed into RouterA Ethernet 
0/1 interface from any source on the Internet. 
A) true 
B) false 
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Quiz Answer Key 


Ql) B 
Relates to: IPSec Configuration 
Q2) 8B 
Relates to: Step 1: Configure Transform Set Suites 
Q3) Cc 
Relates to: Set Negotiation Transformation 
Q4) A 
Relates to: Step 2: Configure Global IPSec Security Association Lifetimes 
Q5)  D 
Relates to: Crypto Access Lists Functionality 
Q6) A 
Relates to: Step 3: Create Crypto ACLs Using Extended Access Lists 
Q7) OD 
Relates to: Symmetric Peer Crypto Access Lists Configuration 
Q8) C¢ 
Relates to: Crypto Maps Functionality 
Q9)  B 
Relates to: Crypto Map Parameters 
Q10) B 
Relates to: Step 4: Configure IPSec Crypto Maps 
Qll) A 
Relates to: Crypto Map Commands Example 
Q12) A 
Relates to: Step 5: Apply Crypto Maps to Interfaces 
Q13) B 


Relates to: IPSec Configuration Examples 
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Task 4: Testing and Verifying 
IPSec 


Overview 


Cisco IOS software contains a number of show, clear, and debug commands that are useful for 
testing and verifying IPSec and ISAKMP. These commands are considered in this lesson. 


Relevance 


In order to implement IPSec, it is necessary to be able to test and verify that IPSec is 
functioning properly. 


Objectives 
Upon completing this lesson, you will be able to: 
m= List the commands to test and verify IPSec 
m™ Describe the use of the show crypto isakmp policy command 
m™ Describe the use of the show crypto ipsec transform-set command 
m™ Describe the use of the show crypto ipsec sa command 
m™ Describe the use of the show crypto map command 
m= Describe the use of the clear crypto isakmp command 
m™ Describe the use of the debug crypto command 


= Describe how to interpret crypto error messages for ISAKMP 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m= All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m= All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 


5-122 


This lesson includes these topics: 


Overview 

Task 4: Test and Verify IPSec 

The show crypto isakmp policy Command 

The show crypto ipsec transform-set Command 
The show crypto ipsec sa Command 

The show crypto map Command 

The clear Commands 

The debug crypto Commands 

Crypto System Error Messages for ISAKMP 


Summary 


Quiz 
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Task 4: Test and Verify IPSec 


This topic describes the commands that are used to test and verify IPSec. 


Task 4—Test and Verify IPSec 
ee 


Task 1 — Prepare for IKE and IPSec 
Task 2 — Configure IKE 

Task 3 — Configure IPSec 

Task 4 — Test and Verify IPSec 


* Display your configured IKE policies. 
show crypto isakmp policy (show isakmp policy on a PIX) 


* Display your configured transform sets. 


show crypto ipsec transform set 


* Display Phase | security associations. 


show crypto isakmp sa (show isakmp sa on a PIX) 


* Display the current state of your IPSec SAs. 


show crypto ipsec sa 


Display your configured crypto maps. 
show crypto map 


Enable debug output for IPSec events. 
debug crypto ipsec 


¢ Enable debug output for ISAKMP events. 


debug crypto isakmp 


You can perform the following actions to test and verify that you have correctly configured the 
VPN using Cisco IOS software: 


m= Display your configured IKE policies using the show crypto isakmp policy command. 


m™ Display your configured transform sets using the show crypto ipsec transform set 


command. 


m™ Display the current state of your IPSec SAs with the show crypto ipsec sa command. 


m View your configured crypto maps with the show crypto map command. 


m Debug IKE and IPSec traffic through Cisco IOS software with the debug crypto ipsec and 
debug crypto isakmp commands. 


Note The Cisco PIX IPSec troubleshooting commands are very similar to the Cisco |OS 
commands. Differences in the “isakmp” versus “crypto isakmp” statements are noted in the 


figure. 
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The show crypto isakmp policy Command 


This topic illustrates an example of the show crypto isakmp policy command. 


show crypto isakmp policy 


10.0.1.3 


Bester shew oeysts i 

Preetection sucte of pracraty 1.0 
@ncryptico sigo>ithm: 
besh algorithm: 
euthbentscetion method 
hiffie~ eliman gromp: 
lifection: 

Default protection suite 
eneryptaon algorithm: 
bash algosithm: 
aullwal.calion awlhod. 


pelicy 


DES - Data 
Sesuse Hash Standard 
Rivest -Shamir -Adleman Signature 


Host 8 
RouterA Routers P 
100.23 


cyption Standard (56 bit keys). 


Datfie- Hellman group: #1 (768 bat) 


a.4afetime: 


364600 seconds 


no woluw liait 
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Use the show crypto isakmp policy EXEC command to view the parameters for each 
ISAKMP policy as shown in the following example for RouterA: 


RouterA# show crypto isakmp policy 


Protection suite of priority 110 


encryption algorithm: 
(56 bit keys). 


hash algorithm: 


authentication method: 


Diffie-Hellman group: 
lifetime: 
Default protection suite 


encryption algorithm: 
(56 bit keys). 


hash algorithm: 


authentication method: 


Diffie-Hellman group: 


lifetime: 
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DES - Data Encryption Standard 


Message Digest 5 
Rivest-Shamir-Adleman Encryption 
#1 (768 bit) 


86400 seconds, no volume limit 


DES - Data Encryption Standard 


Secure Hash Standard 
Rivest-Shamir-Adleman Signature 
#1 (768 bit) 


86400 seconds, no volume limit 
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The show crypto ipsec transform-set Command 


This topic illustrates an example of the show crypto ipsec transform-set command. 


show crypto ipsec transform-set 
show crypto isakmp sa30 


Host A 


RowterA RouterB 
— a Internet = ae 
10.0.1.3 


E0/1 172.3012 E01 172.30.22 


RouterA # show crypto ipsec transform -set 
Transform set mine: { esp-des } 


will negotiate = { Tunnel, }, 


* View the currently defined transform sets. 


RouterA # show crypto isakmp sa 
dst sre state conn-id slot 
172.30.2.2 172.30.1.2 QM IDLE 47 5 


* Shows Phase | security associations. 
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Use the show crypto ipsec transform-set EXEC command to view the configured transform 
sets. The command has the following syntax: 


show crypto ipsec transform-set [tag transform-set-name] 


show crypto ipsec transform-set Command 


Command Description 


tag transform-set-name (Optional) Shows only the transform sets with the specified 


transform-set-name 


If no transform-set-name keyword is used, all transform sets configured at the router are 
displayed. 


Use the show crypto isakmp sa command to show Phase I SAs. If the connection is working 
properly and an ISAKMP SA exists, it will be in its quiescent state—QM_IDLE—indicating 
that the ISAKMP SA is present but idle. It remains authenticated with its peer and may be used 
for subsequent quick mode exchanges. 
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The show crypto ipsec sa Command 


This topic illustrates an example of the show crypto ipsec sa command. 


show crypto ipsec sa 


Host A Host 8 


RouterA Routers 
10.0.1.3 10.023 


EM 172.30.1.2 EO 172.3022 


ReutearA# shew crypto spaac ze 
antertece: Etbercnet0/1 
Crypte map teg: mymp, iccal adir It? M17 


local ident (addr/mack/prot/port}: (172.10.1.2/255.255.255, 255/0/0) 
remete ident (addr/aask/prot/poct) > ¢(172.39,? 2/255. 755,955 2 55/0/0) 
curtent_powr: 172,30.2.2 

PERMIT, flags=(srigin ia acl,} 

#pkts encaps: 21, Ppkts encrypt: 21, Mpkts dicest 0 

tpkte decapa: 21, Ppkta deorypt: 21, HpPkta verity 0 

Seend errors 0, S2ecw errors 0 
local arypto ondpt.: 172.30.1.2, ceomote crypto cndpt.: 172. 50.2.2 
path mtv 1590, media mtu 1590 


curcemt outbound api: SAERICRC 
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Use the show crypto ipsec sa EXEC command to view the settings used by current SAs. If no 
keyword is used, all security associations are displayed. The command syntax is as follows: 


show crypto ipsec sa [map map-name | address | identity] 
[detail] 


show crypto ipsec sa Command 


Command Description 
map map-name (Optional) Shows any existing SAs created for the crypto map. 
address (Optional) Shows all the existing SAs, sorted by the destination 


address and then by protocol (Authentication Header [AH] or 
Encapsulating Security Payload [ESP}). 


identity (Optional) Shows only the flow information. It does not show the 
SA information. 


detail (Optional) Shows detailed error counters. (The default is the high- 
level send and receive error counters.) 
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The show crypto map Command 


This topic illustrates an example of the show crypto map command. 


show crypto map 


RouterA RouterB 


EO/t 172.30.1.2 EOM 172,30.22 


RouterARohow crypto map 
Crypte Msp "mymep" 10 ipsee-isakmp 
Peer = 172.39.2.2 
Zxtended IP access list 102 
access list 102 permit ap host 172.30.1.2 host 
172 .36.2.2 
Current peer: i72.30.2.2 
Security association lifetime: 4608000 kilabytes/3600 seconds 
P23 (Y/R): N 
Transform scts—{ minc, } 


¢ View the currently configured crypto maps. 


BCRAN v2.15-6 


Use the show crypto map EXEC command to view the crypto map configuration. If no 
keywords are used, all crypto maps configured at the router will be displayed. The command 
syntax is as follows: 


show crypto map [interface interface | tag map-name] 


show crypto map Command 


Command Description 

interface interface (Optional) Shows only the crypto map set applied to the specified 
interface 

tag map-name (Optional) Shows only the crypto map set with the specified map- 
name. 
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The clear Commands 


This topic illustrates an example of the clear commands for when you are changing or 
troubleshooting VPN tunnels. 


clear Commands 


sa 
sa peer <IP address | peer name> 

sa map <map name> 

sa entry <destination address protocol spi> 


* Clears IPSec SAs in router’s database 
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The clear commands are helpful to use after altering VPN configurations. When changing 
transform sets and global lifetimes, the changes will not all be applied to existing IPSec 
connections. To ensure that these settings affect all VPN connections, the clear commands 
must be used. If a VPN device is processing a great deal of IPSec traffic that should remain 
uninterrupted, the clear commands may be applied to specific maps, entries, or peers, if 
specified within the command. 


Note Using clear commands requires reestablishment of the VPN tunnel between devices and 
might cause inconvenience to the user. 


The clear commands are also beneficial when troubleshooting VPN connectivity. They can 
show if SAs are no longer being built by peers. By comparing results of show commands 
before and after clear commands are used, it is often apparent that ISAKMP or IPSec SAs are 
not created after making a network change. 


Occasionally, the Address Resolution Protocol (ARP) table will interfere with establishment or 
changes to IPSec tunnels and must be cleared. This ARP table interference occurs more often in 
PIX VPN configurations and can be remedied by clearing the ARP cache. Although not an 
IPSec-specific clear command, use the clear arp command to clear the ARP cache. 
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The debug crypto Commands 


This topic illustrates an example of the debug crypto commands. 


debug crypto 


router# 


debug crypto ipsec 


¢ Displays debug messages about all IPSec actions 


router# 


debug crypto isakmp 


¢ Displays debug messages about all ISAKMP actions 


Use the debug crypto ipsec EXEC and the debug crypto isakmp commands to display IPSec 
and ISAKMP events. The no form of these commands disables debugging output. 


Note Because this command generates a significant amount of output for every IP packet 
processed, use it only when traffic on the IP network is low so that other activity on the 
system is not adversely affected. 


The following example of ISAKMP and IPSec debugging shows normal IPSec setup messages. 
Note the inline comments (!). 


RouterA# debug crypto ipsec 

Crypto IPSEC debugging is on 

RouterA# debug crypto isakmp 

Crypto ISAKMP debugging is on 

RouterA# 

*Feb 29 08:08:06.556 PST: IPSEC(sa_request): , 

(key eng. msg.) src= 172.30.1.2, dest= 172.30.2.2, 
src_proxy= 10.0.1.0/255.255.255.0/0/0 (type=4), 
dest_proxy= 10.0.2.0/255.255.255.0/0/0 (type=4), 
protocol= ESP, transform= esp-des esp-md5-hmac , 


lifedur= 3600s and 4608000kb, 
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! Interesting traffic from Sitel 


*Feb 29 08:08:06. 


*Feb 
ID = 


*Feb 


29 
0 


29 


against 


*Feb 
*Feb 
*Feb 
*Feb 
*Feb 


29 
29 
29 
29 
29 


08:08:06. 


08:08:06. 
priority 


08:08:06. 
08:08:06. 
08:08:06. 
08:08:06. 
08:08:06. 


payload is 0 


556 
828 


828 
100 


828 
828 
828 
832 
832 


PST: ISAKMP 
PST: ISAKMP 


PST: ISAKMP 
policy 


PST: ISAKMP: 
PST: ISAKMP: 
PST: ISAKMP: 
PST: ISAKMP: 


PST: ISAKMP 


to 
(4) 
(4) 


(4): 


(4): 


spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004 


Site2 triggers ISAKMP Main Mode. 
: beginning Main Mode exchange 


: processing SA payload. message 


Checking ISAKMP transform 1 


encryption DES-CBC 
hash MD5 

default group 1 
auth pre-share 


atts are acceptable. Next 


! The IPSec peers have found a matching ISAKMP policy 


*Feb 29 08:08:06.964 PST: 


authentication 


ISAKMP (4): SA is doing pre-shared key 


! Preshared key authentication is identified 


*Feb 29 08:08:07. 


ID = 
*Feb 


0 
29 


message 


*Feb 
*Feb 
*Feb 


*Feb 
ID = 


*Feb 
ID = 


*Feb 


29 
29 
29 


29 
0 


29 
0 


29 


08:08:07. 
ID = 0 


08:08:07. 
08:08:07. 
08:08:07. 
08:08:07. 


08:08:07. 


08:08:07. 


172.30.2.2 


! Main mode is complete. 


368 


540 


540 
540 
544 
676 


676 


680 


PST: ISAKMP (4): processing KE payload. message 


PST: ISAKMP 


PST: ISAKMP 
PST: ISAKMP 
PST: ISAKMP 
PST: ISAKMP 


PST: ISAKMP 


PST: ISAKMP 


(4): 


(4): 
(4): 
(4): 
(4): 


(4): 


(4): 


processing NONCE payload. 


SKEYID state generated 
processing vendor id payload 
speaking to another IOS box! 


processing ID payload. message 


processing HASH payload. message 


SA has been authenticated with 


The peers are authenticated, and secret 


! keys are generated. On to Quick Mode! 


*Feb 29 08:08:07.680 PST: 
M-ID of -1079597279 
*Feb 29 08:08:07.680 
*Feb 29 08:08:07.680 
for SA 
from 172.30.2.2 
*Feb 29 08:08:08.424 
ID = -1079597279 
*Feb 29 08:08:08.424 
*Feb 29 08:08:08.424 PST: ISAKMP: 
*Feb 29 08:08:08.424 PST: ISAKMP: 
*Feb 29 08:08:08.424 PST: ISAKMP: 
*Feb 29 08:08:08.424 PST: ISAKMP: 


ISAKMP (4): beginning Quick Mode exchange, 


PST: IPSEC(key_engine): got a queue event... 
PST: IPSEC(spi_response): getting spi 3658276911d 


to 172.30.1.2 


for prot 3 


PST: ISAKMP (4): processing SA payload. message 


PST: ISAKMP (4): Checking IPSec proposal 1 
transform 1, ESP_DES 
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attributes in transform: 
encaps is 1 


SA life type in seconds 


Copyright # 2004, Cisco Systems, Inc. 


*Feb 29 08:08:08.424 PST: 
3600 


*Feb 29 08:08:08.428 PST: 


*Feb 29 08:08:08.428 PST: 
0x46 0x50 0x0 


*Feb 29 08:08:08.428 PST: 
*Feb 29 08:08:08.428 PST: 


*Feb 29 08:08:08.428 PST: 
part #1, 


ISAKMP : SA life duration (basic) of 


ISAKMP : SA life type in kilobytes 
ISAKMP : SA life duration (VPI) of 0x0 
ISAKMP: authenticator is HMAC-MD5 


ISAKMP (4): atts are acceptable. 
IPSEC (validate_proposal_request): proposal 


(key eng. msg.) dest= 172.30.2.2, src= 172.30.1.2, 
dest_proxy= 10.0.2.0/255.255.255.0/0/0 (type=4), 
src_proxy= 10.0.1.0/255.255.255.0/0/0 (type=4), 


protocol= ESP, transform= esp-des esp-md5-hmac , 


lifedur= Os and Okb, 


spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 


*Feb 29 08:08:08.432 PST: 
message ID = -10 


79597279 


*Feb 29 08:08:08.432 PST: 
ID = -1079597279 


*Feb 29 08:08:08.432 PST: 
ID = -1079597279 


ISAKMP (4): processing NONCE payload. 


ISAKMP (4): processing ID payload. message 


ISAKMP (4): processing ID payload. message 


! A matching IPSec policy has been negotiated and authenticated. 
! Next the SAs are set up. 


*Feb 29 08:08:08.436 PST: 


*Feb 29 08:08:08.436 PST: 
172.30.1.2 


(proxy 10.0.2.0 


*Feb 29 08:08:08.436 PST: 
flags 4 


*Feb 29 08:08:08.436 PST: 
*Feb 29 08:08:08.440 PST: 


*Feb 29 08:08:08.440 PST: 
172.30.2.2 


(proxy 10.0.1.0 


*Feb 29 08:08:08.440 PST: 
flags 4 


*Feb 29 08:08:08.440 PST: 
*Feb 29 08:08:08.440 PST: 
*Feb 29 08:08:08.440 PST: 
*Feb 29 08:08:08.440 PST: 


ISAKMP (4): Creating IPSec SAs 
inbound SA from 172.30.2.2 to 


to 10.0.1.0 ) 
has spi 365827691 and conn_id 5 and 


lifetime of 3600 seconds 
lifetime of 4608000 kilobytes 
outbound SA from 172.30.1.2 to 


to 10.0.2.0 ) 
has spi 470158437 and conn_id 6 and 


lifetime of 3600 seconds 
lifetime of 4608000 kilobytes 
IPSEC (key_engine): got a queue event... 


IPSEC (initialize_sas): , 


(key eng. msg.) dest= 172.30.1.2, src= 172.30.2.2, 
dest_proxy= 10.0.1.0/255.255.255.0/0/0 (type=4), 
src_proxy= 10.0.2.0/255.255.255.0/0/0 (type=4), 


protocol= ESP, transform= esp-des esp-md5-hmac , 


lifedur= 3600s and 4608000kb, 
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spi= 0x15CE166B (365827691), conn_id= 5, keysize= 0, flags= 0x4 
*Feb 29 08:08:08.444 PST: IPSEC(initialize sas): , 
(key eng. msg.) src= 172.30.1.2, dest= 172.30.2.2, 
src_proxy= 10.0.1.0/255.255.255.0/0/0 (type=4), 
dest_proxy= 10.0.2.0/255.255.255.0/0/0 (type=4), 
protocol= ESP, transform= esp-des esp-md5-hmac , 
lifedur= 3600s and 4608000kb, 
spi= 0x1C060C65 (470158437), conn_id= 6, keysize= 0, flags= 0x4 
*Feb 29 08:08:08.444 PST: IPSEC(create_sa): sa created, 
(sa) sa_dest= 172.30.1.2, sa_prot= 50, 
Ssa_spi= 0x15CE166B (365827691), 
sa_trans= esp-des esp-md5-hmac , sa_conn_id= 5 
*Feb 29 08:08:08.444 PST: IPSEC(create_sa): sa created, 
(sa) sa_dest= 172.30.2.2, sa_prot= 50, 
sa_spi= 0x1C060C65 (470158437), 
sa_trans= esp-des esp-md5-hmac , sa_conn_id= 6 
! IPSec SAs are set up and data can be securely exchanged. 


RouterA# 
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Crypto System Error Messages for ISAKMP 


This topic describes how to interpret crypto error messages for ISAKMP. 


Crypto System Error Messages for ISAKMP 


%CRYPTO -6-IKMP SA NOT AUTH: Cannot accept Quick Mode exchange 
from %15i if SA is not authenticated! 


° ISAKMP SA with the remote peer was not authenticated. 


%CRYPTO -6-IKMP SA NOT OFFERED: Remote peer %15i responded with 
attribute [chars] not offered or changed 


° ISAKMP peers failed protection suite negotiation for ISAKMP. 


Cisco IOS software can generate many useful system error messages for ISAKMP. Two of the 
error messages are as follows: 


mg %CRYPTO-6-IKMP SA NOT AUTH: Cannot accept Quick Mode exchange from 
%15i if SA is not authenticated :—The ISAKMP security association with the remote peer 
was not authenticated yet the peer attempted to begin a quick mode exchange. This 
exchange must only be done with an authenticated SA. The recommended action is to 
contact the remote peer administrator to resolve the improper configuration. 


m %CRYPTO-6-IKMP SA NOT OFFERED: Remote peer %15i responded with 
attribute [chars] not offered or changed—ISAKMP peers negotiated policy by the initiator 
offering a list of possible alternate protection suites. The responder responded with an 
ISAKMP policy that the initiator did not offer. The recommended action is to contact the 
remote peer administrator to resolve the improper configuration. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
ee en nnn SAMO] 


* Display your configured IKE policies using the 
show crypto isakmp policy command. 


* Display your configured transform sets using the 
show crypto ipsec transform set command. 


* Display the current state of your IPSec SAs with 
the show crypto ipsec sa command. 


* View your configured crypto maps with the show 
crypto map command. 

* Debug IKE and IPSec traffic through the Cisco lIOS 
with the debug crypto ipsec and debug crypto isakmp 
commands. 


Next Steps 
For the associated lab exercise, refer to the following section of the course Lab Guide: 


m Lab Exercise 5-1: Configuring a Site-to-Site IPSec VPN Using Preshared Keys 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


Q5) 


Q6) 


Q7) 


Q8) 


Which command displays all crypto maps? 
A) display crypto transform 

B) show crypto map 

C) show crypto isakmp policy 

D) debug crypto isakmp 


The show crypto isakmp policy command will display the hash algorithm. 

A) true 

B) false 

If a transform set name is not specified in the show crypto ipsec transform-set 
command, what is the result? 

A) The router will not understand the command. 

B) It will turn on crypto ipsec debugging. 

C) Every configured transform set will be displayed. 

The state QM_ IDLE on the show crypto isakmp sa command means the configuration 
is idle and the tunnel is not working. 

A) true 

B) false 

The show crypto ipsec sa shows the settings used by current security associations. 
A) true 

B) false 

The show crypto map command will display peer addresses. 

A) true 

B) false 

Clearing the full security association database should be reserved for large-scale 
changes, or when a device is processing only a small amount of other IPSec traffic. 
A) true 

B) false 

Debug commands are acceptable to use on a busy network. 

A) true 

B) false 
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Q9)  Ifaremote router responds with an unoffered ISAKMP policy, the communication will 
continue to function normally. 


A) true 
B) false 
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Quiz Answer Key 


Ql) 


Q3) 


Q4) 


Q5) 


Q6) 


Q7) 


Q8) 


Q9) 


B 


Relates to: 


A 


Relates to: 


Cc 


Relates to: 


B 


Relates to: 


A 


Relates to: 


A 


Relates to: 


A 


Relates to: 


B 


Relates to: 


B 


Relates to: 
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Task 4: Test and Verify IPSec 


The show crypto isakmp policy Command 


The show crypto ipsec transform-set Command 


The show crypto ipsec sa Command 


The show crypto ipsec sa Command 


The show crypto map Command 


The clear Commands 


The debug crypto Commands 


Crypto System Error Messages for ISAKMP 
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Module 6 | 


Using ISDN and DDR to 
Enhance Remote Connectivity 


Overview 


ISDN is typically deployed to provide remote access for small office or home office. This 
module reviews the configuration of dial-on-demand routing (DDR) to implement ISDN dial 
up for remote access. 


Objectives 


Upon completing this module, you will be able to: 


Outline 


List the steps and commands that are required to configure an ISDN connection 
List the tasks that are required to successfully configure an ISDN PRI connection 
Configure ISDN DDR using dialer maps 

Define interesting traffic with dialer and access lists 

Explain various ISDN PPP configuration options that are used with DDR 


Verify and troubleshoot ISDN environments using Cisco IOS commands 


The module contains these lessons: 


Configuring ISDN BRI 

Configuring ISDN PRI 

Configuring DDR 

Verifying ISDN and DDR Configurations 


6-2 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright © 2004, Cisco Systems, Inc. 


Configuring ISDN BRI 


Overview 


To connect to an ISDN network, you must use the correct router. A BRI interface requires 
specific commands to enable ISDN. 


Relevance 


Because ISDN is still widely used for remote access and backup connectivity, it is important to 
know how to configure an ISDN BRI interface. This lesson covers the concepts and commands 
for configuring ISDN BRI. 


Objectives 
Upon completing this lesson, you will be able to: 
m Identify the ISDN BRI services and protocols 
m List the steps and commands that are required to configure an ISDN connection 
= Configure the appropriate switch type with the isdn switch-type command 


™ Configure the Layer 2 B channel encapsulation method with the encapsulation ppp or 
encapsulation hdle commands 


m™ Describe the basic concepts of ISDN SPIDs 
= Configure SPIDs with the isdn spid1 and isdn spid2 commands 
™ Configure advanced calling features to accept and respond to selected ISDN calls 


= Configure channel rate adaption using the speed command available in dialer maps 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m= All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m= All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 


6-4 


This lesson includes these topics: 


Overview 


ISDN 
ISDN 
ISDN 
ISDN 
ISDN 
ISDN 


Services 

Protocols 

Protocol Layers 
Configuration Tasks 
Configuration Commands 


Switch Types 


Interface Protocol Settings 


SPID Setting If Necessary 


Caller Identification Screening 


Configuration of Caller ID Screening 


Called-Party Number Verification 


Rate Adaption 


Summary 


Quiz 
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ISDN Services 


This topic describes the differences between ISDN BRI and ISDN PRI. ISDN services are 


offered as either ISDN BRI or ISDN PRI. 


ISDN Services 


56/64 kbps 
56/64 kbps % 192 kbps 


16 kbps 


23B (T1) or T1 1.444 Mbps 


30B (E1) 
or 


E1 2.048 Mbps : 
{includes sync): 


BCRAN v2.1—6-2 


ISDN BRI specifies: 


Two 64 kbps B Channels (bearer channels) used mainly for video, data or voice 


One 16 kbps D Channel (data or delta channel) used mainly for signaling of the B Channels 


Framing and synchronization overhead at 48 kbps 


m Total speed (64 * 2) + (16 + 48) = (128 + 64) = 192 kbps 
m Intended to be used at small concentration points 
Note The B channel carries the main data. The D channel carries control and signaling 


information. 
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ISDN Protocols 


This topic describes the most common components and reference points of ISDN BRI. ISDN 
BRI includes various components and reference points. 


BRI Reference Points 


To Non-ISDN 
Device (TE2) To ISDN 


Service 


Cisco ISDN 


Router — 
(TE1) 4-Wire 2-Wire 
Circuit Circult 


BCRAN v2.16-3 


Given all the ISDN interface abbreviations such as T, S, U, S/T, and so on, what do all of these 
components and reference points look like in practice? 


When creating a network, connect the Network Termination 1 (NT-1) to the wall jack with a 
standard two-wire connector, then to the ISDN phone, terminal adapter, Cisco ISDN router, and 
perhaps a fax with a four-wire connector. The S/T interface is implemented using an eight-wire 
connector (two pairs for data transmission and two pairs for providing optional power to the 
NT and TE). 


Because RJ-11 and RJ-45 connectors look similar, caution should be taken when connecting 
ISDN devices. 

The S/T reference point is: 

= Four-wire interface (sending [TX] and receiving [RX]) 

= Point-to-point and multipoint (passive bus), as shown in the figure 


= Covered by International Telecommunication Union Telecommunication Standardization 
Sector (ITU-T) 1.430 physical layer specification for BRI interfaces, and American 
National Standards Institute (ANSI) T1.601 standard for the United States 


The S/T interface defines the interface between a TE1 or terminal adaptor (TA) and an NT. A 
maximum of eight devices can be daisy-chained to the S/T bus. 


The U interface defines the two-wire interface between the NT-1 and the ISDN cloud. The U 
interface is used in the United States. Countries outside the United States use an S/T interface. 
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The R interface defines the interface between the TA and an attached non-ISDN device (TE2). 


In North America, the NT-1 function is commonly integrated into the ISDN device (router, 
TA), thus permitting a direct connection from the ISDN device to the telco jack. 


An NT-1 and NT-2 combination device is sometimes referred to as an NTU. In most countries, 


the NT-1/NT-2 combination is provided by the service provider (telco), and customer access is 
available only at the S/T interface. 
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ISDN Protocol Layers 


This topic discusses ISDN protocol layers. ISDN is based on a suite of standards. 


ISDN Protocol Layers 


D Channel B Channel 


DSS1 (Q.931) 


LAPD (Q.921) HDLC/PPP 


1.430/1.431/ANSI 71.601 
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The B channel carries Layer 3 protocols for data transmission. It typically operates in either a 
High-Level Data Link Control (HDLC) or PPP encapsulation mode at Layer 2 to encapsulate 
the upper-layer protocols such as IP. Although not as common, other encapsulations such as 
Frame Relay can be used, depending on networking requirements. 


The D channel is continuously active and works with dial-on-demand routing (DDR) to build 
connections over the ISDN connection. The D Channel uses Q.921 (also known as LAPD) at 
the Data Link Layer and Q.931 at the Network Layer. The B Channel uses PPP or HDLC at the 
Data Link Layer and IP, IPX, Appletalk, and so on for the Network Layer. 


The ITU-T 1.430 and I.431 standards define the physical layer for the BRI and PRI network 


interfaces, respectively. In the United States, the U and S/T interfaces are governed by the 
ANSI T1.601 standards and conform, where possible, to the ITU-T specifications. 
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ISDN Configuration Tasks 


This topic describes the configuration tasks that are required to successfully configure an ISDN 
BRI connection. Configuring ISDN BRI requires global and interface configuration tasks. 


ISDN Configuration Tasks 


a ---z._- ISDN 7... 


¢ Global configuration 
— Select switch type 
— Specify traffic to trigger call 
° Interface configuration 
— Select interface specifications 
— Configure ISDN addressing 
* Optional feature configuration 


To configure an ISDN BRI interface on a router, you must use specific global and interface 
configuration commands. 


Global configuration includes these steps: 


Step 1 Select the switch type that matches the ISDN provider switch at the central office 
(CO). 


Step 2 Set destination details. Indicate static routes from the router to other ISDN 
destinations. 


Step 3 Specify the traffic criteria that initiate an ISDN call to the appropriate destination. 


Interface configuration includes these steps: 


Step 1 Select the ISDN BRI port and configure an IP address and subnet mask. 


Although the interface automatically inherits the global switch-type setting, some 
configurations may require a specific switch type to be configured on an interface. 


Step 2 Specify the encapsulation if it is not HDLC. If PPP encapsulation is selected 
(typical), configure PPP including authentication, callback, and multilink options. 


Step 3 Configure ISDN addressing and any parameters supplied by the ISDN service 
provider. 


Step 4 Configure DDR information and calling parameters. 


Step 5 Configure optional features, including time-to-wait for the ISDN carrier to respond 
to the call, and seconds of idle time before the router times out and drops the call. 
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ISDN Configuration Commands 


This topic describes the configuration commands that are required to successfully configure an 
ISDN BRI connection. Configuring ISDN BRI requires global and interface configuration 
commands. 


ISDN Configuration Commands 


¢ Global commands: 
—isdn switch-type 

° Interface commands: 
—ip address 
—isdn switch-type 
— encapsulation ppp 


—PPP options 
(for example, Authentication, Multilink) 


—isdn spid1 
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At the global level, the administrator must specify the ISDN service provider CO switch type. 
There are several types of switches to choose from and some of these require special 
parameters. Because standards signaling specifics differ by region, the switch type varies 
according to its geographical location. For example, the DMS-100 and National-1 require a 
service profile identifier (SPID) to be specified. This is optional on some switches (for 
example, AT&T SESS), or may not required at all on other switches. 


Although the interface configuration and selection tasks apply to all routers, this topic focuses 
on BRI for access routers. (PRI details for Cisco routers and access servers with T1/E1 
controllers are covered in lesson two.) 


Configuring the ISDN interface may include assigning the IP address, defining encapsulation, 
and creating ISDN service profile statements. The tasks also include a legacy method of 
configuring ISDN with the dialer map command. The dialer map command statically maps a 
remote site (usually its host name) to a destination IP address (Layer 3 address) and ISDN dial 
number (Layer 2 address). A more contemporary implementation includes creating dialer 
profiles that dynamically create these mappings. (Dialer maps are covered later in this module, 
and dialer profiles are covered in module 7.) 
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ISDN Switch Types 


This topic describes the isdn switch-type command. Selecting the correct switch type to 
connect is crucial when configuring ISDN BRI. 


Selecting the ISDN Switch Type 


Router (config) #isdn switch-type switch-type 


Router (config-if)#isdn swtich-type switch-type 


° Specifies the type of ISDN switch with which the 
router communicates 
¢ Global or interface command 


Use the isdn switch-type command to specify the CO switch to which the router connects. For 
BRI ISDN service, the possible switch types and their corresponding commands are shown in 
the table. 


isdn switch-type Commands 


Command Description 
basic-5ess AT&T basic rate switches (United States) 
basic-dms100 NT DMS-100 (North America) 
basic-ni National ISDN-1 (North America) 
basic-qsig PINX (PBX) switches with QSIG signaling per Q.931 
basic-net3 NET3 switch type for United Kingdom, Europe, Asia, and Australia 
Ntt Japanese NTT ISDN switches 
none No switch defined 
Note Other switch types are available. The list of switch types can differ based on the Cisco lOS 


software version that is used. 
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When the isdn switch-type command is used in global configuration mode, all ISDN interfaces 
on the router are configured for that switch type. Beginning with Cisco IOS Release 11.3T, the 
interface configuration mode command was introduced to allow different interfaces to be 
configured with different switch types. If the command is used in interface configuration mode, 
only the interface that is configured assumes that switch type. The interface setting always 
overrides the global setting. 
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Interface Protocol Settings 


This topic describes the encapsulation ppp and encapsulation hdle commands. You may have 
to configure the Layer 2 B channel encapsulation protocol and authentication when configuring 
ISDN BRI. 


BRI Configuration Example 


asdn switch-type basic-—ni 

' 

interface BRIO 

ip address 10.1.200.1 255.255.255.252 


enoapeulation PPP 
ppp authentication chap 


asdn spidi 51055520010001 5552001 
isdn spid2 51055520020001 5552002 


dialer-group i 


The interface bri interface-number command designates the interface that is used for ISDN on 
a router acting as a TE] device. 


A router without a native BRI interface is a TE2 device. It must connect to an external ISDN 
TA via a serial interface. On a TE2 router, the interface serial interface-number command 
must be used. 


The default encapsulation on a BRI interface is HDLC. The encapsulation ppp command 
changes the encapsulation on the ISDN interface. Although HDLC encapsulation offers a 
simpler configuration, it lacks much of the functionality provided by PPP. Some of the 
functionality that is lacking includes link control protocol (LCP) options such as Password 
Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) 
authentication, as well as multilink capability. Authentication is typically a requirement in 
networks of today, particularly if calls are to be received from multiple dialup sources. 
Otherwise, calling line identification (CLID) can be used with HDLC encapsulation to identify 
callers, providing that the service provider sends this information. 


To revert from PPP encapsulation to the default, use the encapsulation hdle command. Other 


encapsulation options for BRI interfaces may include Link Access Procedure, Balanced 
(LAPB) and Frame Relay. 
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SPID Setting If Necessary 


6-14 


This topic describes ISDN SPIDs and the isdn spid1 and isdn spid2 commands. Depending on 
the switch type, you may have to configure SPIDs. 


BRI Configuration Example (Cont.) 


isdn switch-type basic~-ni 
' 


interface BRIO 

ip address 10.1.200.1 255.255.255.252 
encapsulation ppp 

ppp authentication chap 

isdn «6 . 5105 0010001 5552001 
dean spia2 51089520020001 5982002 
dialer-group 1 
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Several ISDN service providers use CO switches that require dial-in numbers called SPIDs. 
The SPIDs are used to authenticate call requests that are within contract specifications. These 
switches include National ISDN and DMS-100 ISDN switches, as well as the AT&T 5ESS 
multipoint switch. SPIDs are used only in the United States and are typically not required for 
ISDN data communications applications. The service provider supplies the local SPID 
numbers. If uncertain, contact the service provider to determine if the SPIDs must be 
configured on your access routers. 


Use the isdn spid1 and isdn spid2 commands to access the ISDN network when your router 
makes its call to the local ISDN exchange. 


The isdn spid1 command syntax is shown in the figure for the first BRI 64-kbps channel. The 
field for /dn, if required, matches the number provided by the dialer map command. 
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The commands for isdn spid1 and isdn spid2 are listed in the following table. 


isdn spid1 and isdn spid2 Commands 


Command Description 


Spid-number Number identifying the service to which you have subscribed. This 
value is usually a ten-digit telephone number followed by more digits. 
The ISDN service provider assigns this value. 


Idn (Optional) Seven-digit local directory number assigned by the ISDN 
service provider. 


Note If you want the SPID to be automatically detected, you can specify 0 for the spid-number 
argument. You can also use the interface command isdn autodetect for SPID and switch 
type detection. This command is available in IOS Release 12.0(3)T and later. 


The /dn parameter allows you to associate up to three local directory numbers with each SPID. 
This number must match the called-party information coming in from the ISDN switch in order 
to use both B channels on most switches. 
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Caller Identification Screening 


6-16 


This topic describes the basic features of calling line identification (CLID). 


Caller Identification Screening 


Compare with 


allowed numbers 
Call setup message 


with local ISDN 


¢ Extra level of call management 
* Call not set up (or charged) until acceptance 


« Asimple alternative or additional layer of authentication for 
PPP CHAP 
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CLID (also known as caller ID) adds a level of security between ISDN connections by 
screening incoming ISDN calls based on the setup request. The calling number in the call setup 
request message supplied by the local service provider is verified against a table of allowed 
numbers configured in the router. 


This feature prevents charges for calls from unauthorized numbers. However, in some 
situations, there are charges for call setup attempts, even if the call does not pass caller ID 
screening. 


The figure shows the router, the medium, and the connection to the ISDN cloud. The upper 
arrow displays the number of the calling party (RouterA). The calling party number comes 
from the network, not from the router that initiated the call. 


The table at the right of the figure contains the allowed numbers that are configured on 
RouterB. Call verification using this table provides extra security. Call acceptance does not 
occur until the router has verified the calling number. 


CLID is not universally available. Not all service providers have the calling party number 
contained in the call setup request. In addition, CLID screening records the number exactly as it 
was sent, with or without an area code prefix, which can cause errors. 
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Configuration of Caller ID Screening 


This topic describes the commands that are required to enable CLID. 


Configuring CLID Screening 


Router (config-if)#isdn caller number 


* Enables CLID screening 


Use the isdn caller number command to configure ISDN CLID. This command configures the 
router to accept calls from the specified telephone number. More than one caller number can be 
assigned to an interface. 


The telephone number can be up to 25 characters in length. As part of this number, you can 
enter an x in any position to stand for any number (a “wildcard”’). 


For example, isdn caller 55666612xx would accept calls from any number beginning with 
55666612 followed by any other number in the last two positions. 
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Called-Party Number Verification 


6-18 


This topic describes the commands that are required to enable called-party number verification. 
Called-party number verification is used to ensure that the correct device answers an incoming 
call. 


Configuring Called Party Number 
Verification 


Router (config-if)#isdn answerl [called-party-number] 


or 


Router (config-if)#isdn answer2 [called-party-number] 


¢ Sets the number to allow the interface to respond 
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When multiple devices and a router share the same ISDN local loop, you can ensure that the 
correct device answers an incoming call. This guarantee is accomplished by configuring the 
router to verify the called-party number. However, the ISDN switch must support the delivery 
of called-party numbers. 


The isdn answerl1 interface configuration command verifies a called-party number or 
subaddress number in the incoming setup message for ISDN BRI calls, if the ISDN switch 
supplies the number. Use the isdn answer2 interface command to verify an additional called- 
party number or subaddress number. To remove a verification request, use the no form of the 
command. 


All calls are processed or accepted if you do not specify the isdn answer! or isdn answer2 
commands. If you specify one of these commands, the router must verify the incoming called- 
party number before processing or accepting the call. Devices on multipoint ISDN connections 
are typically assigned a specific subaddress. The isdn answerl command can also verify the 
incoming call based on the specific subaddress. 


You can configure just the called-party number or just the subaddress, in which case only that 
part will be verified. 
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The table describes the arguments for the isdn answer 1 command. 


isdn answerl [called-party-number] [:subaddress] 


isdn answer1 Command 


Command 


called-party-number 


Description 


Number supplied in the call setup request. 


(Optional) Identifies the number that follows as a subaddress. Use 
the colon (:) when you configure both the called-party number and 
the subaddress, or when you configure only the subaddress. 


sSubaddress 


(Optional) Subaddress number used for ISDN multipoint 
connections. 


Some service providers require that both isdn answer1 and isdn answer2 parameters be 


specified. 
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Rate Adaption 


This topic describes rate adaption. Rate adaption allows the ISDN channel to adjust to a lower 
speed if requested in the call setup. 


BRI Rate Adaption Configuration Example 


isdn switch-type basic~-ni 
' 


interface BRIO 

ip address 10.1.200.1 255.255.255.252 
encapsulation ppp 

ppp authentication chap 

Gialer map ip 10.1.200.2 name Routers 5551212 speed 56 
dialer-group 1 


If requested in the call setup by the access router, rate adaption allows the ISDN channel to 
adjust to a lower speed. The speed may be designated in a dialer map statement using the 
optional parameter of speed 56 or speed 64 on the router that is placing the call. 


Use rate adaption for cases where the destination does not use the default DS-0 of 64 kbps. The 
alternative speed used in most of North America is 56 kbps. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
a en EN, 


° ISDN BRI: total speed is 64 kbps x 2 (B channels) + 
16 kbps (D channel) + 48 kbps (framing and 
synchronization) = 192 kbps. 


° In most countries, customer access to BRI is 
available at the S/T interface. 


¢ Enabling ISDN BRI requires global configuration 
and interface configuration commands. 


° A switch type can be configured in global 
configuration or in interface configuration mode. 


Summary (Cont.) 


* BRI supports HDLC encapsulation and 64 kbps by 
default. 


¢ PPP encapsulation is more advantageous because 
of its LCP options such as PAP, CHAP, Multilink. 


* Some ISDN switches require the configuration of 
SPID numbers. 


* BRI supports CLID and called-party number 
verification. 


¢ Use rate adaption for 56 kbps. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


What is the data rate of one ISDN B channel? 


A) 48 kbps 
B) 56 kbps 
C) 64 kbps 
D) 128 kbps 


Which ISDN channel is always active and in communication with the ISDN switch 
while using the Q.931 signaling protocol? 


A) A 
B) B 
O° <6 
D) OD 


Which ISDN channel carries network layer protocols for data transmission? 


A) A 
B) B 
a) a © 
De D 


Which type of configuration task category does configuring ISDN addressing fall into? 
A) global 

B) interface 

C) standard 

D) primary 

Which configuration task category level applies to specifying the ISDN service 
provider CO switch type? 

A) global 

B) interface 

C) standard 

D) primary 
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Q6) 


Q7) 


Q8) 


Q9) 


Q10) 


Which Cisco router global command is used to specify the CO switch to which the 
router connects? 


A) isdn router-type 
B) isdn switch-type 
C) isdn hub-type 

D) isdn bridge-type 


Which Cisco router command designates the interface that is used for ISDN on a router 


acting as a TE] device? 


A) interface serial interface-number 

B) interface Ethernet interface-number 
C) interface bri interface-number 

D) interface ISDN interface-number 


The dial-in numbers that an ISDN service provider CO site switch might require are 
known as ? 


A) service provider identifiers (SPIDs) 
B) service profile identifiers (SPIDs) 
C) service profile interface devices (SPIDs) 


D) service provider interface devices (SPIDs) 


Which Cisco router command is used to configure ISDN CLID screening? 
A) caller ID 

B) isdn caller 

C) ID caller 

D) ID caller 


Rate adaption allows the ISDN channel to adjust to which of the following: 
A) lower speed 

B) higher speed 

C) speed of 128 kbps 

D) speed of 256 kbps 
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Quiz Answer Key 


Ql) Cc 
Relates to: ISDN Services 
Q2) D 
Relates to: ISDN Protocols 
Q3)  B 
Relates to: ISDN Protocol Layers 
Q4)  B 
Relates to: ISDN Configuration Tasks 
Q5) A 
Relates to: ISDN Configuration Commands 
Q6) 8B 
Relates to: ISDN Switch Types 
Q7) C¢ 
Relates to: Interface Protocol Settings 
Q8)  B 
Relates to: SPID Setting If Necessary 
Q9) B 
Relates to: Configuration of Caller ID Screening 
Q10) A 


Relates to: Rate Adaption 
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Configuring ISDN PRI 


Overview 


ISDN BRI is typically used for remote access at small branch sites with lower bandwidth 

requirements. Primary Rate Interface (PRI) is typically used by larger central sites with higher 

bandwidth requirements to aggregate multiple remote BRIs. Internet service providers (ISPs) 

also use ISDN PRI to support combined large numbers of analog modem and ISDN BRI calls. 
Relevance 


This lesson provides an overview of concepts and configuration of ISDN PRI. 


Objectives 
Upon completing this lesson, you will be able to: 
m= List the tasks required to successfully configure an ISDN PRI connection 
= Configure the appropriate switch type with the isdn switch-type command 
m List and explain the commands that are required to configure an ISDN T1 or E1 controller 
m= List and explain the commands that are required to configure the ISDN PRI channels and D 
channel 
Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m= All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 


Overview 

ISDN Services 

PRI Reference Points 

Configuration Tasks for PRI 

ISDN PRI Configuration 

Tl and E1 Controller Parameters 

Additional ISDN PRI Configuration Parameters 
PRI Configuration Example 

Summary 


Quiz 
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ISDN Services 


This topic describes the services of the ISDN PRI. ISDN services are offered as either ISDN 
BRI or ISDN PRI. 


ISDN PRI and Channelized E1 and T1 


ae = 04 aps ars 
30B (E1) 


B =: kbps £1 2.048 Mbps 
(includes synchronous) 


(31) 64 kbps 2.048 Mbps 
channels (includes maint 
154d Mi 
05-08 Td {includes i 
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In the figure, the ISDN PRI specifies: 

m 23B(US. Tl) or 30 B (European E1) channels at 64 kbps each 
= 1D channel at 64 kbps 

m Framing and synchronization at 8 kbps (T1), or 64 kbps (E1) 

m Total speed 1.544 Mbps (T1), or 2.048 Mbps (E1) 


Because an ISDN BRI comprises two B channels and one D channel, it is often referred to as 
“2B+D.” Likewise, a U.S. Tl PRI is commonly referred to as “23B+D,” and a European E1 
PRI as “30B+D.” 


In Europe the D channel is carried in timeslot 16. In the United States it is in timeslot 24. 


Note In an E1 PRI there are actually 32 channels: 30 B, 1 D, and 1 synchronization channel. 
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The table below displays the relationships between the DS level, speed, “T” designations, and 
number of channels. 


North American Digital Hierarchy 


Digital Signal Level Speed “T” Designation Channels or DS-0s 
DS-0O 64 kbps - 1 

DS-1 1.544 Mbps T1 24 

DS-3 44.736 Mbps T3 672 


In some cases, a DS-0 can carry only 56 kbps, usually because of legacy telco equipment or a 
signaling method called robbed-bit signaling (RBS). 


In Europe, the equivalent of a T1 facility is an E1 facility. 
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PRI Reference Points 


This topic describes the most common components and reference points of ISDN PRI. 


PRI Reference Points 


SIT 


te |} +68 


+ ITU-T 1.431 


ea » ANSI 71.601 


Depending on country implementation, either the ANSI T1.601 or ITU-T 1.431 standard 
governs the physical layer of the PRI interface. 


PRI technology is simpler than BRI. The wiring is not multipoint because there is only the 
straight connection between the CSU/DSU and the PRI interface. (Multipoint refers to the 
ability to have multiple ISDN devices connected to the network, all of which have access to the 
ISDN network.) Arbitration at Layer 1 and Layer 2 allows multiple devices that need to share 
the ISDN network to access the network without collisions or interruptions. PRI does not 
require this arbitration because there are no multiple devices. 
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Configuration Tasks for PRI 


This topic describes the configuration tasks that are required to successfully configure an ISDN 
PRI connection. 


Configuration Tasks for PRI 


aF =) ae 


D 


Select the PRI switch type 


Specify T1/E1 controller, framing, and line coding for 
the facility 


Set PRI group timeslots for T1/E1 and indicate the 
speed used 


Specify the interface on the router that you will 
configure for DDR 


Use the PRI configuration task steps listed in the figure, in addition to the DDR-derived 
commands covered earlier in BRI configurations, to enable a PRI connection. 


Complete the following configuration tasks: 


1. Specify the ISDN switch type used by the service provider for this PRI connection. 

2. Specify the T1/E1 controller, framing type, and line coding for the service provider facility. 
3. Seta PRI group timeslot for the T1/E1 facility and indicate the speed used. 

4. Identify the interface used to configure DDR for the PRI. 
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ISDN PRI Configuration 


This topic describes the isdn switch-type command. Configuring ISDN PRI requires global 
and interface configuration commands. Selecting the correct switch type to connect is critical 
when configuring ISDN PRI. 


ISDN PRI Configuration 
I 7 


° Configures the ISDN PRI switch type 


Router (config)#controller {tl | e1} 
{slot/port | unit-number} 


* Configures the ISDN PRI controller 


Use the isdn switch-type command to specify the CO PRI switch to which the router connects. 
With Cisco IOS Release 11.3(3)T or later, this command is also available as a controller 
command to allow different switch types to be supported on different controllers. If configured 
as a global command, the specified switch type applies to all controllers, unless a switch type is 
specifically configured on an individual controller. 


An incompatible switch selection configuration can result in failure to make ISDN calls. After 
changing the switch type, you must reload the router to make the new configuration effective. 


Copyright © 2004, Cisco Systems, Inc. Using ISDN and DDR to Enhance Remote Connectivity 6-31 


Telco isdn switch-type commands are shown in the table below. 


isdn switch-type Command 


Command Description 

primary-4ess AT&T Primary-4ESS switches (United States) 
primary-5ess AT&T Primary -5ESS switches (United States) 
primary-dms100 NT DMS-100 switches (North America) 
primary-ni National ISDN switch type 

primary-ntt NTT ISDN PRI switches (Japan) 
primary-net5 European and Australian ISDN PRI switches 
primary-qsig Q Signaling (QSIG) per Q.931 

None No switch defined 


Unlike BRI operation, ISDN PRIs do not use SPIDs. Therefore, there is no requirement to 
configure SPIDs, regardless of the ISDN switch type used by the PRI. 


Use the controller {t1 | e1} s/ot/port command in global configuration mode to identify the 
controller to be configured. Use a single unit-number to identify the AS5000 Series controller. 
These commands are shown in the table below. 


controller {t1 | e1} Command 


Command Description 

t1 Specifies the controller interface for North America and Japan 

e1 Specifies the controller interface for Europe and most other 
countries 

slot/port or unit number eae the physical slot/port location or unit number of the 
controller 
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T1 and E1 Controller Parameters 


This topic describes the commands that are required to configure an ISDN T1 or El controller. 
In ISDN PRI, a T1 or El controller must first be configured to communicate with the service 
provider. 


T1 and E1 Controller Parameters 


Router (config-controller) #framing 
{sf | esf | cre4 | no-crce4} 


° Selects the framing type on the controller 


Router (config-controller) #linecode 
(ami | b8zs | hdb3} 


° Selects the line-code type on the controller 


Router (config-controller)#clock source 
{line [primary | secondary] | internal} 


° Specifies the T1 clock source 


Use the framing controller configuration command to select the frame type used by the PRI 
service provider. The table shows framing commands that you can use. 


framing Command 


Command Description 

sf Super Frame. Use for some older T1 configurations. 

esf Extended Super Frame. Use for T1 PRI configurations. 

crc4 or no-crc4 Cyclic redundancy check 4. Use for E1 PRI 
configurations. 


Without a sufficient number of ones in the digital bit stream, the switches and multiplexers in a 
WAN can lose their synchronization for transmitting signals. Use the linecode command to 
identify the physical layer signaling method to satisfy the “ones” density requirement on the 
digital facility of the provider. 
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The table shows line code commands that you can use. 


linecode Command 


Command Description 

ami Alternate mark inversion. Use for T1 configurations. 
b8zs Binary 8-zero substitution. Use for T1 PRI configurations. 
hdb3 High density binary 3. Use for E1 PRI configurations. 


Binary 8-zero substitution (B8ZS) accommodates the ones density requirements for T1 carrier 
facilities using special binary signals that are encoded over the digital transmission link. It 
allows 64 kbps (clear channel) for ISDN channels. 


Settings for these two Cisco IOS software controller commands on the router must match the 
framing and line-code types used at the T1/E1 WAN CO switch of the provider. 


Use the clock source {line | internal} command to configure the T1 and El clock source on 
Cisco routers. T1 configurations typically require framing esf and linecode b8zs. E1 
configurations typically require framing cre4 and linecode hdb3. 
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Additional ISDN PRI Configuration Parameters 


This topic describes the commands that are required to configure the ISDN PRI channels and D 
channel. After the T1 or El controller is configured, the PRI channels and the corresponding D 
channel interface must be configured. 


Additional ISDN PRI 


Configuration Parameters 
es | 


Router (config-controller)#pri-group [timeslots range] 


¢ Specifies ISDN PRI on the T1 or E1 controller 
* Specifies timeslots (channels) used by PRI 


Router (config) #interface serial {slot/port | unit:}{23 | 15} 


¢ Specifies the serial interface for the PRI D channel 


Router (config-if)#isdn incoming-voice modem 


* Switches incoming analog calls to internal modems 


The pri-group command configures the specified interface for PRI operation and specifies 
which fixed timeslots (channels) are allocated on the digital facility of the provider. 


pri-group Command 


Command 


Description 


timeslots range The range of timeslots allocated to this PRI. For T1, use values in 
the range of 1 to 24, and for E1, use values from 1 to 31. The speed 


of the PRI is the aggregate of the channels assigned. 


Example 1: If using all 30 B channels on an El PRI (30B+D), specify pri-group 1-31. 


Example 2: If allocated only the first eight B channels (512-kbps total data bandwidth) for a T1 
PRI (23B+D), then specify pri-group 1-8,24. Note that the D channel must be specified. 


Note When provisioning a PRI line with less than 24 time slots (or 30 for E1), include the D 
channel for signaling. 
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Specification of the PRI group automatically creates the corresponding serial interface for the D 
channel: interface serial {slot/port | unit}: {23 | 15}. This interface is used to configure the PRI 
D channel. The table shows the interface serial commands that you can use. 


interface serial Command 


Command Description 
Slot/port The slot/port of the channelized controller 
unit The unit number of the channelized controller on a Cisco 4000 or 


AS5000 Series router 


23 A 11 interface that designates channelized DS-Os 0 to 22 as the B 
channels, and DS-0 23 as the D channel 
15 An E1 interface that designates 30 B channels and timeslot 16 as the 
D channel 
Note In an E1 or T1 facility, the channels start numbering at 1 (1 to 31 for E1 and 1 to 24 for T1). 


Serial interfaces in the Cisco router start numbering at 0. Therefore, channel 16, the E1 
signaling channel, is serial port subinterface 15. Channel 24, the T1 signaling channel, is 
serial subinterface 23. 


The isdn incoming-voice modem command allows incoming analog calls to be switched to 
internal modems. Software examines the bearer capability fields of the D channel data and 
determines whether a call is a normal ISDN call or an analog call being carried on an ISDN B 
channel. If it is an analog call, it is switched to internal modems. This command is only 
available for access servers with the capability for internal modems. 
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PRI Configuration Example 
The following topic highlights a sample ISDN PRI configuration. 


PRI Configuration Example 


Cisco 3600 


isdn switch-type primary-S5eass 
' 


controller t1 o/o 
pri-group timeslots 1-24 
framing est 
linecode b8zs 
cleck source line 
' 
interface serial O/0:23 
ap address 192.168.11.2 255.255.255.0 
isdn incoming-voice modem 


The table describes the commands in the figure. 


PRI Configuration Commands 


Command Description 

isdn switch-type primary-5ess Selects a switch type of AT&T 5ESS 

controller t1 0/0 Selects the T1 controller 0/0 

pri-group timeslots 1-24 Establishes the interface port to function as PRI with 24 timeslots 
(including D channel) designated to operate at a speed of 64 
kbps 

framing esf Selects Extended Superframe (ESF) framing, a T1 configuration 
feature 

linecode b8zs Selects line code B8ZS for T1 

clock source line Specifies the T1 line as the clock source for the router 

interface serial 0/0:23 Identifies the D channel on serial interface 0/0 

Note Static mapping and DDR commands are also used for configuring PRI. Although they are 


also required for ISDN operation, these commands are omitted from this example. 


The controller t1 0/0 command configures the T1 controller. In the example, the switch type 
selected is an AT&T model. This example is accurate for some operations in the United States. 


For an El example, the timeslot argument for the pri-group command would be 1-31 rather 
than 1-24 as shown for a T1 example, and the interface command would be 0/0:15 instead of 
0/0:23. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
eee CISEGCOM | 


ISDN PRI is typically used to aggregate multiple BRIs or 
for higher-bandwidth requirements. 

ISDN PRI (T1) total speed is 64 kbps x 23 (B channels) + 
64 kbps (D channel) + 8 kbps (framing and 
synchronization) = 1.544 Mbps. 

ISDN PRI (E1) total speed is 64 kbps x 30 (B channels) + 
64 kbps (D channel) + 64 kbps (framing and 
synchronization) = 2.048 Mbps. 

ISDN PRI requires that a T1 (or E1) controller be 
configured. 

A T1 controller configuration must include the framing 
type and line coding. 


Summary (Cont.) 


° Like ISDN BRI, a PRI switch type must also be 
configured. 


* ISDN PRI does not require SPIDs. 


* The ISDN PRI D and B channels are configured 
separately from the controller, using the interface 
serial command. 


° The pri-group command configures the specified 
interface for PRI operation and the number of fixed 
timeslots that are allocated on the provider digital 
facility. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


When you are configuring PRI on a Cisco router, where does the information for the 
correct PRI switch type, T1 or El controller, framing type, and line coding come from? 


A) service provider facility 

B) client facility 

C) company human resources department 
D) local electronic retail store 


Which Cisco router command is used to specify the CO PRI switch to which the router 
connects? 

A) isdn switch-type 

B) isdn router-type 

C) isdn hub-type 

D) switch isdn-type 

Which framing controller configuration command code parameter is used to select the 
frame type used by the PRI service provider for Extended Super Frame? 


A) sf 
B) esf 
C) crc4 
D) esc4 


Which Cisco router command configures the specified interface for PRI operation and 
specifies the number of fixed timeslots that are allocated on the digital facility of the 
provider? 

A) BRI group 

B) SER group 

C) PRI group 

D) Eth group 

Which command would be used to configure a European ISDN PRI switch type? 
A) isdn switch-type primary-4ess 

B) isdn switch-type primary-net5 

C) isdn switch-type primary-Sess 

D) isdn switch-type primary-dms100 


Copyright © 2004, Cisco Systems, Inc. Using ISDN and DDR to Enhance Remote Connectivity 6-39 


Quiz Answer Key 
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Ql) 


Q2) 


Q3) 


Q4) 


Q5) 


A 


Relates to: 


A 


Relates to: 


B 


Relates to: 


Cc 


Relates to: 


B 


Relates to: 


Configuration Tasks for PRI 


ISDN PRI Configuration 


T1 and E1 Controller Parameters 


Additional ISDN PRI Configuration Parameters 


PRI Configuration Example 


Building Cisco Remote Access Networks (BCRAN) v2.1 
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Configuring DDR 


Overview 


DDR enables routers to connect on an as-needed basis. They typically connect long enough to 
exchange information and then disconnect. This results in significant cost savings for the 
enterprise. 


Relevance 


ISDN connects and disconnects faster than plain old telephone service (POTS), and has greater 
throughput. For these reasons, DDR is most often used with ISDN. This lesson provides an 
overview of ISDN DDR. 


Objectives 
Upon completing this lesson, you will be able to: 
m Explain the logic flow when defining interesting traffic 
m= List the steps that are required to configure DDR 
m™ Define and configure interesting traffic on selected interfaces 
™ Configure access lists to provide more granular control when defining interesting traffic 
m Apply dialer lists to ISDN BRI interfaces 
™ Configure dialer maps to specify how to reach a remote destination 
™ Configure a simple ISDN network 


= Define interesting traffic with dialer and access lists 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m= All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Jnterconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 


Overview 

DDR Operation 

DDR and ISDN Usage 

DDR Configuration Tasks 
Interesting Traffic for DDR 
Access Lists for DDR 
Destination Parameters for DDR 
Configuration of a Simple ISDN Call 
Configuration Example: RouterA 
Configuration Example: RouterB 
Access List for DDR Example 


Summary 


Quiz 
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DDR Operation 


This topic describes the ISDN DDR process and explains the logic flow when defining 
interesting traffic. DDR routing enables predefined interesting traffic to initiate a call across the 
ISDN WAN connection. 


DDR Operation 


C Duigoing Packet >-»< 
—— q 


BCRAN v2.1—6-2 


Cisco implements DDR from the perspective of the outgoing data from the router. 


With DDR, all traffic that is destined to the dialer interface is classified as either “interesting” 
or “uninteresting,” based on the dialer list. If the traffic is interesting (permitted by the dialer 
list), then the router connects to the remote router if not currently connected. If the traffic is 
uninteresting (denied by the dialer list) and there is no connection, then it does not dial the 
remote router, thereby saving costs. 


The dialer idle timer is used to reset the connection if no interesting traffic for the destination 
arrives within the configured timer interval. 


Note When a connection is made, all traffic uses the link (unless denied by another access list 
applied to the interface). For example, if the dialer list is configured to allow only ping 
(Internet Control Message Protocol [ICMP)) traffic, a user could send a ping to bring up the 
connection and then start a Telnet session on the open DDR interface. 
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DDR and ISDN Usage 
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This topic describes the sequence of events that triggers an ISDN DDR call. ISDN is commonly 
configured with DDR 


Using DDR with ISDN 


=» BRI or 


PRI 


3 ———— __ Provider 


Packet arrives. 


Switch packet to DDR interface, 
determine if interesting. 


If interesting, dial DDR destination via ISDN. 
Connect to remote router. 
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Access routers use DDR to connect to remote routers. The access router will initiate a 
connection only when it detects “interesting traffic” that is bound for a remote site. Dialer lists 
specify interesting traffic. You can place a BRI interface in a dial group, which is linked to a 
dialer list that specifies interesting traffic. You can use multiple dialer list entries to identify 
traffic that is interesting and destined for other DDR destination routers, based on various 
protocols. Access lists can also be used to refine the designation of interesting packets that will 
initiate DDR calls. 


Routing updates may cause ISDN calls to remote routers. This could dramatically increase 
service charges from the ISDN service provider. For this reason, it is usually best to use static 
and default routes to reach destination networks. 


Note Some dynamic routing protocols, like Open Shortest Path First (OSPF), support features 
specifically designed to work over DDR connections. In addition, Cisco IOS software 
supports a feature called Snapshot Routing. This feature permits the use of distance-vector 
routing protocols over DDR links while minimizing routing and service advertisement 
updates, thus saving link charges. Further information on these features can be located at 


http:/Awww.cisco.com. 


DDR commands map a host ID and dialer string to initiate the setup of an ISDN call for 
interesting traffic. The router then makes an outgoing call from its BRI interface through the 
ISDN NT-1. If using an external TA, it must support V.25bis dialing. Calling details for these 
devices come from dialer commands. 
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An idle timer starts when no more interesting traffic is transmitted over the ISDN call. The 
timer is reset if an interesting packet is received before the Idle-Timeout value is reached. If no 
interesting packets are received when the Idle-Timeout expires, the call disconnects. 
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DDR Configuration Tasks 


This topic describes the tasks that are required to configure DDR. Several tasks are required to 
configure ISDN with DDR. 


DDR Configuration Tasks 


Provider 


° Define interesting traffic 


* Assign interesting traffic definition 
to ISDN interface 


° Define destination 
° Define call parameters 


To configure DDR, you must complete these tasks: 


1. Define what constitutes interesting traffic by using the dialer-list command. 
2. Assign this interesting traffic definition to an interface using the dialer-group command. 


3. Define the destination IP address, host name, telephone number to dial, and optional call 
parameters using the dialer map command. 


4. Define call parameters using the following commands: 


— dialer idle-timeout seconds: Specifies the time that the line can remain idle without 
receiving interesting traffic before it is disconnected. Default time is 120 seconds. 


— dialer fast-idle seconds: Specifies the time that a line for which there is contention 
(another call is waiting to use line) can remain idle before the current call is 
disconnected, to allow the competing call to be placed. Default time is 20 seconds. 


— dialer load-threshold /oad [outbound | inbound | either]: Specifies the interface 
load at which time the dialer initiates another call to the destination. This command 
is used with Bandwidth on Demand (BoD) or Multilink PPP (MLP). 
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Definitions of the arguments and options for the dialer load-threshold /oad [outbound | 
inbound | either command are displayed in the table. 


dialer load-threshold Command 


Command Description 
load A number from 1 to 255, with 255 equal to 100 percent load and 128 
equal to 50 percent load 
outbound Calculates the load on outbound data only (the default) 
inbound Calculates the load on inbound data only 
either Calculates the load on the maximum of the outbound or inbound data 
Note For more information, refer to the “Cisco Access Dial Configuration Cookbook” at 
http://www.cisco.com/. — 
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Interesting Traffic for DDR 


This topic describes how to configure interesting traffic and apply it to an ISDN interface. With 
ISDN DDR, an interface is activated when it sees interesting traffic that it must forward. 


Defining Interesting Traffic 


Router (config) #dialer-list dialer-group-number 
protocol protocol-name {permit | deny |list 
access-list-number} 
* Defines interesting packets for DDR 
* Associated with the dialer group assigned to the 
interface 


Router (config-if)#dialer-group group-number 


* Assigns an interface to the dialer access group 
specified in the dialer-list command 
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The dialer-list command is used to configure dial-on-demand calls that will initiate a 
connection. The simple form of the command specifies whether a whole protocol suite, such as 
IP or Internetwork Packet Exchange (IPX), will be permitted or denied to trigger a call. The 
more complex form references an access list that allows finer control of the interesting traffic 
definition for a given protocol. A dialer list can contain multiple entries to define multiple 
protocol types as interesting. 


The dialer-group interface command applies the dialer list specifications to an interface. Only 
one dialer list can be applied to an interface at a time. 
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The dialer-list and dialer-group command syntax is described in the table. 


dialer-list and dialer-group Commands 


Command Description 


dialer-list dialer-group-number | Defines a DDR dialer list to control dialing by protocol or by a 
protocol protocol-name combination of protocol and access list. 

{permit | deny | list access-list- 
number | access-group} 


dialer-group-number Number of a dialer access group identified in any dialer-group 
interface configuration command. 


protocol-name One of the following protocol keywords: appletalk, bridge, clns, 
clns_es, clns_is, decnet, decnet_router-L1, decnet_router-L2, 
decnet_node, ip, ipx, vines, or xns. 


dialer-group group-number Configures an interface to belong to a specific dialer group. The 
dialer group points to a dialer list. 


group-number Number of the dialer access group to which the specific interface 
belongs. This access group is defined with the dialer-list command, 
which specifies interesting traffic that initiates a DDR call. 
Acceptable values are nonzero, positive integers from 1 to 10. 
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Access Lists for DDR 


This topic describes how to define ISDN DDR interesting traffic by referencing an access list. 
Interesting traffic can be specifically defined with an access list. 


Using Access Lists for DDR 
eee ng CECT *) 


Router (config) #access-list access-list-number {permit |deny} 
{protocol | protocol-keyword } 
{source source-wildcard | any} 
{destination destination-wildcard | any} 
[protocol-specific-options] [log] 


* Gives tighter control over “interesting” traffic and 
uses standard or extended access lists 


Router (config) #dialer-list dialer-group protocol protocol- 
name list access-list-number 


* Associates an access list with a dialer access group 
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When linked to a dialer list, access lists give strict control over which packets are considered 
interesting. The access-list command specifies the interesting traffic that initiates a DDR call. 
Both standard and extended access lists are supported, which enables the identification of 
interesting traffic based on simple destination addresses, or based on both source and 
destination addresses, and upper layer protocols. 


An extended access list is displayed in the figure shown, providing more control over the 
protocol, source address, and destination address in determining interesting packets. 


Note Not all command parameters are displayed for the access-list command. Refer to the Cisco 
Documentation CD-ROM or hitp://www.cisco.com for the complete syntax. 


The dialer-list command is used in conjunction with the access list. This command associates 
the access list with the dialer access group. 
The following is a sample configuration: 


interface BRIO 


dialer-group 1 


access-list 101 deny igrp 0.0.0.0 any any 
access-list 101 permit ip any any 


dialer-list 1 protocol ip list 101 
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Destination Parameters for DDR 


This topic describes how to identify a remote destination with the dialer map command. When 
interesting traffic has been detected, the interface is activated and initiates a call to the remote 
ISDN destination, which is identified by a dialer map. 


Defining Destination Parameters 


Router (contig-if)f daaler map protocel next-hop-address 
[name hostname] [speed 56/64] [broadcast] 
[modem-script modem-regexp] 

[system-script system-regexp] 
[dial-string|:asdni-subaddress) | 


* Maps an IP network layer address to a remote 
phone number 


° Defines the method of reaching a remote ISDN 
destination 


When interesting traffic has been identified for the ISDN interface, the router initiates a DDR 
call, if the call is not already connected. The router uses the information that is configured in 
the dialer map command to determine dialing parameters to the destination router, such as the 
telephone number to dial. The dialer map command binds the next-hop protocol address to a 
telephone number, or dial-string, for a particular destination. 


A dialer map is similar in concept to an Address Resolution Protocol (ARP) entry fora LAN 
that binds an IP address to a MAC address, or a Frame Relay map that binds a next-hop 
protocol address to a data-link connection identifier (DLCI). Each dialer map associates a 
destination or next-hop Layer 3 network address to a destination Layer 2 address. 
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The dialer map command options are described in the table. 


dialer map Commands 


Command Description 
dialer map protocol next-hop-address Configures a serial interface or ISDN interface to call one 
[name hostname] [speed 56|64] or multiple sites. 


[broadcast] [dial-string[:isdn-subaddress]] 
m name parameter refers to the name of the remote 


system 


m speed parameter is the line speed to use in kilobits per 
second 


m= broadcast parameter indicates that broadcasts should 
be forwarded to this address 


m dial-string[:isdn-subaddress] is the number to dial to 
reach the destination and the optional ISDN 
subaddress 


[modem-script modem-regexp] (Optional) Indicates the modem script to use for the 
connection (for asynchronous interfaces). Create modem- 
regexp using a chat script. 


[system-script system-regexp] (Optional) Indicates the system script to use for the 
connection (for asynchronous interfaces). Create system- 
regexp using a chat script. 


Note The dialer map command has many other optional parameters available. For a complete 
description of the command and its parameters, refer to the documentation CD-ROM or 


hittp:/Awww.cisco.com. 
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Configuration of a Simple ISDN Call 


This topic describes a simple ISDN BRI connection with DDR-enabled configuration. 


Configuring a Simple ISDN Call 


10.170.0.1 
10.170.0.2 


Route al NT1 


0 
‘i $105551234 


_S CJ 


—, 192.168.2.1 192.168.1.1 =f 


—d 


e Use PPP encapsulation 

° All IP traffic to destination triggers ISDN call 

* Carrier uses a 5ESS basic-rate switch 

¢ Service provider assigns connection parameters 


The figure displays an example of how you can combine the commands described in the 
previous lessons to set up ISDN and initiate DDR. 


DDR is configured to connect RouterA to RouterB. Interesting traffic is defined as any IP 
traffic that will initiate a DDR call to RouterB. Similar to a telephone call, the number dialed is 
for the remote ISDN device. The ISDN service provider supplies this number. 


As shown in the figure, traffic is routed to the LAN. Before a connection can be made, you 


must configure Challenge Handshake Authentication Protocol (CHAP) authentication, a dialer 
map, and static routes of how to reach the RouterB 192.68.1.0 network. 
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Configuration Example: RouterA 
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Configuration Example: RouterA 
a ee eee 


10.470.0.4 10,470.02 
BRIO 4085559000 
= 


RouterA 


hostname Rooterh 

imcn mwitch=tyoe basxiceSenx 

username Bouters pasawerd itaasecrcat 
interface bri 0 

ip address 10.170.0.1 255.255.0.9 
encapsulation ppp 

dialer idle<-btimmout 300 

diale> map ip 10.170.0.2 name Routers 4065554000 
dialer-group 1 

Ppp authentication chap 

' 

ip route 192.168.1.0 255.255.255.090 10.170.0.2 
dialer-list 1 protecol ip permit 
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This topic describes a sample ISDN BRI and DDR configuration for RouterA. 


‘ , 
192188.1.1 
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The configuration in the figure is for legacy DDR, which uses dialer maps. 
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The table describes the commands that are used in the configuration. 


BRI and DDR RouterA Configuration Commands 


Command 


isdn switch-type 


Description 


Selects the AT&T 5ESS switch as the central office (CO) ISDN switch type 
for this interface. 


username rtb password 
itsasecret 


Sets up a CHAP username and password for the remote router. 


interface bri 0 


Enters BRI 0 configuration mode. 


Ip address 10.170.0.1 
255.255.0.0 


Specifies the BRI 0 IP address and subnet mask. 


encapsulation ppp 


Sets up PPP encapsulation for BRI 0. 


dialer idle-timeout 300 


Specifies the number of seconds of idle time before the router drops the 
ISDN call (300 sec = 5 min). 


dialer map Establishes how to call the next-hop router. 

ip Specifies the name of the protocol that is used by this map. 

10.170.0.2 Specifies the IP address for the next-hop router BRI interface. 

RouterB Specifies the CHAP identification name for the remote router. 
4085554000 Specifies the telephone number that is used to reach the BRI interface on 


the remote router for this DDR destination. 


dialer-group 1 


Associates the BRI 0 interface with dialer list 1. 


ppp authentication chap 


Sets up CHAP PPP authentication for BRI 0. 


ip route... 


Configures a static route to the subnet on the remote router. 


dialer-list 1 protocol ip 
permit 


Associates permitted IP traffic with dialer group 1. The router will start an 
ISDN call for IP traffic only. 
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Configuration Example: RouterB 
This topic describes a sample ISDN BRI and DDR configuration for RouterB. 


Configuration Example: RouterB 
es Meret 


10.170.0.4 


S10555t234 Ww iroa2 


Brio 


192.1682.1 


hoataame Bouter 

tectn ewatch-type basic-Seen 

username BonterA password itsaseccoee 
interface bri 0 

ip address 10.170.0.2 258.255.0.0 
encapsulation ppp 

dialer idle-timeout 300 

diale> map ip 10.170.0.1 name Routera 5105551234 
dialer-group 1 

Ppp suthentication chap 

' 

ip route 192.1686.2.0 255.255.255.0 10.170.0.1 
Gialer-list 1 protecol ip permit 
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This figure displays the configuration of RouterB. This configuration is also for legacy DDR. 
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The table describes the commands that are used in the configuration. 


BRI and DDR RouterB Configuration Commands 


Command 


isdn switch-type 


Description 


Selects the ISDN switch type for this interface. 


username rta 
password itsasecret 


Sets up the CHAP username and password for the remote router. 


interface bri0 


Enters BRI 0 configuration mode. 


ip address 10.170.0.2 
255.255.0.0 


Specifies the BRI 0 IP address and net mask. 


encapsulation ppp 


Sets up PPP encapsulation for BRI 0. 


dialer idle-timeout 300 


Specifies the number of seconds of idle time before the router drops the 
ISDN call (300 sec = 5 min). 


dialer map Establishes how to call the next-hop router. 

ip Specifies the name of the protocol that is used by this map. 

10.170.0.1 Specifies the IP address for the next-hop router BRI interface. 

RouterA Specifies the CHAP identification name for the remote router. 
5105551234 Specifies the telephone number that is used to reach the remote router for 


this DDR destination. 


dialer-group 1 


Associates the BRI 0 interface with dialer list 1. 


ppp authentication 
chap 


Sets up CHAP PPP authentication for BRI 0. 


ip route... 


Configures a static route to the subnet on the remote router. 


dialer-list 1 protocol 
ip permit 


Associates permitted IP traffic with dialer group 1. The router will start an 
ISDN call for IP traffic only. 
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Access List for DDR Example 
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This topic describes a simple ISDN BRI connection that uses a DDR configuration. Interesting 
traffic is more specifically defined with an access list. 


Access List for DDR Example 


ADATON.2 


10.170.0.1 


Reset BRIO — servic 40.170.0.3 


RouterA 


Cy 


- 


iE 


192.168.3.1° 


4085551234 NT1 Router 


RouterA allows all IP traffic except Telnet and FTP to trigger 
ISDN calls to RouterB, and access subnet 192.168.1.0 
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This figure displays how to combine DDR commands with an extended access list to trigger an 
ISDN call. The configuration uses many of the same commands for configuring a simple ISDN 
call. Through dialer lists, access lists are applied to a dialer group to trigger call setup. 


DDR is configured on RouterA to connect with RouterB for all IP traffic except Telnet and the 
FTP. The details about what is interesting to DDR are defined in an access list. 


The service provider offering the ISDN service uses a Northern Telecom DMS-100 switch. 
Therefore, the configuration requires that the service profile identifiers (SPIDs) be specified. 
The service provider supplies other details to use when you are configuring the router for 
ISDN. 


It is more common in networks to reference an access list in the dialer list because it offers 
more granular control over the protocols, users, and destinations that trigger a call. The 
previous example permitted any IP packet to trigger the call. It is likely that noncritical packets 
will activate the line unnecessarily, thereby resulting in an inflated line. 
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Access List for DDR Example: RouterA 


10.970.0.4 


10.170.9.2 

ADSASSANDS 
~- 

ad 952.1681.1 


i —. ss GH 
at oe ISDN Rovner 


RouterA 


Service 
Provider 


WATOG.S 


402585124 
ts 192.16R31 


Router® 


hostname RouterA 
isdn switch-type basic-dmsi100 


username RouterB password itsasecret 
username RouterC password itsasecret 
interface bri 0 

ip address 10.170.0.1 255.255.0.0 


encapsulation ppp 


diale= 


adle-tameocut 300 


dialer map ip 10.170.0.2 name Rontere 4065554000 
dialer mep ip 10.170.0.3 name Router 4085551234 
dialer-qgroup 2 

Ppp authentication chap 

(continued on next figure) 
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This figure displays the configuration of RouterA from the previous figure. This configuration 
is for legacy DDR and uses dialer maps and extended access lists. The table describes the 
commands that are used in the configuration. 


Access List Configuration Commands 


Command 


isdn switch-type 


Description 


Selects the ISDN switch type for this interface. 


username RouterB 
password itsasecret 


Sets up the CHAP username and password for the remote router in the local 


user database. 


interface bri0 


Enters BRI 0 configuration mode, and sets up DDR and ISDN functions. 


ip address 10.170.0.1 
255.255.0.0 


Specifies the BRI 0 IP address and net mask. 


encapsulation ppp 


Sets up PPP encapsulation for BRI 0. 


dialer idle-timeout 300 


Specifies the number of seconds of idle time (300 sec = 5 min) before the 
router drops the ISDN call. 


dialer map 


Establishes the IP address and ISDN number to call the next-hop routers. 


dialer-group 2 


Associates the BRI 0 interface with dialer list 2. 


ppp authentication 
chap 


Sets up CHAP PPP authentication for BRI 0. 
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Access List for DDR Example: RouterA 


(Cont.) 


RewterA 10.9170.0.1 


& a j 


BRI 


LO? 
408556000 RouterE 
eT . 


— = 792.16K.1.1 
ISDN 
Service WATTLES 


Provider ANESES 1234 RouterC 
nd es 982.1683. 


ip route 192.165.1.0 255.255.255.090 10,.170.0.2 
ip route 192.165.3.0 255.255.255.090 10.170.9,.3 


access~list 101 deny tcp any any eg ftp 
access-list 101 deny tep any any eq telnet 


acoess-list 101 permit ip any any 
dialer-list 2 protocol ip list 101 
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This figure shows the continuation of the configuration of RouterA. This simple example 
shows how access lists are linked to dialer lists and dialer groups to determine interesting traffic 
that triggers DDR calls. Either simple or extended access lists can be linked with dialer lists and 
dialer groups to identify interesting traffic, thus creating a powerful set of tools to control 


dialup costs. 


The table describes the commands that are used in the configuration. 


Access List Configuration Example Commands 


Command 


ip route ... 


Description 


Configures static routes to subnets on remote router Ethernet 
interfaces. 


access-list 101 deny ... 


Defines extended TCP access list entries to prevent FTP and Telnet 
packets from triggering calls. 


access-list 101 permit ... 


Defines entry in the extended access list to permit remaining IP traffic 
to trigger ISDN calls. 


dialer-list 2 protocol ip list 
101 


Sets up control for automatic DDR dialing. Assigns access list 101 to 
dialer list 2, which is assigned to the BRI 0 interface by the dialer- 
group command statement. Only IP will trigger DDR calls with this 
configuration. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 


¢- ISDN DDR enables routers to connect on an as- 
needed basis and therefore can result in 
significant cost savings. 


* The global configuration dialer-list command is 
used to define interesting traffic. 


° Access lists can also be used with dialer lists to 
provide more granular control. 
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Summary (Cont.) 


Cisco.com 


° The interface configuration dialer-group command 


is used to apply a dialer list to an ISDN BRI 
interface. 


* The interface configuration dialer map command is 
used to specify how to connect to a remote site. 


¢ Call parameters which can be specified include 


dialer idle-timeout, dialer fast-idle, and dialer 
load-threshold. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) What type of traffic is passed on to the router in DDR? 


A) uninteresting traffic 

B) uninvited traffic 

C) invited traffic 

D) interesting traffic 

Q2) A DDR-configured Cisco access router initiates a connection toa remote router? 

A) as soon as the connection is broken 

B) when it detects “interesting traffic” bound for a remote site 

C) when the network administrator issues a no shutdown command on the 
Ethernet interface 

D) when the network administrator issues a shutdown command on the Ethernet 


interface 


Q3) — Which Cisco router command defines what constitutes interesting traffic? 


A) 
B) 
C) 
D) 


dialer-group 
dialer-map 
dialer-list 


dialer-interesting 


Q4) — Which Cisco router command applies the dialer list specifications to an interface? 


A) 
B) 
C) 
D) 


dialer-group 
dialer-map 
dialer-list 


dialer-interesting 


Q5) — Which Cisco router command specifies source, destination, and protocols that define 
interesting traffic that will initiate a DDR call? 


A) 
B) 
C) 
D) 


dialer-group 
dialer-map 
dialer-list 


access-list 
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Q6) Which Cisco router command identifies destination router information, such as the 
telephone number to dial? 


A) dialer-group 
B) dialer-map 
C) dialer-list 
D) dialer-access-list 
Q7) — Which Cisco router command feature associates permitted IP traffic with dialer group 1? 
A) dialer-group 1 
B) dialer map 
C) dialer-list 1 protocol ip permit 
D) dialer idle-timeout 1 
Q8) Which Cisco router command configures static routes to subnets on remote router 
Ethermet interfaces? 
A) access-list 101 permit 
B) access-list 101 deny 
C) ip route 
D) dialer list 2 protocol ip list 101 


Copyright © 2004, Cisco Systems, Inc. Using ISDN and DDR to Enhance Remote Connectivity 6-63 


Quiz Answer Key 
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Ql) 


Q3) 


Q4) 


Q5) 


Q6) 


Q7) 


Q8) 


A 


Relates to: 


B 


Relates to: 


Cc 


Relates to: 


A 


Relates to: 


D 


Relates to: 


B 


Relates to: 


Cc 


Relates to: 


Cc 


Relates to: 


DDR Operation 


DDR and ISDN Usage 


DDR Configuration Tasks 


Interesting Traffic for DDR 


Access Lists for DDR 


Destination Parameters for DDR 


Configuration Example: RouterB 


Access List for DDR Example 
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Verifying ISDN and DDR 
Configurations 


Overview 


ISDN still serves as a viable technology in many parts of the world. It is commonly used in a 
WAN environment as a backup technology for Frame Relay. ISDN is also used for small 
office, home office (SOHO) connectivity in areas where a digital subscriber line (DSL) or cable 
modem technology is not available. This lesson provides an overview of various commands to 
verify ISDN and dial-on-demand routing (DDR) connectivity. 


Relevance 


Implementing and troubleshooting ISDN is a necessary skill for network engineers. 


Objectives 
Upon completing this lesson, you will be able to: 
= Monitor ISDN connections 
m Verify and troubleshoot ISDN environments using debug commands 
™ Monitor the ISDN BRI D channel 
= Monitor the ISDN BRI B channels 
™ Monitor PPP on an ISDN BRI connection 


m™ Test an ISDN and DDR connection 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m= All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m= All knowledge presented in the Jnterconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 


Overview 

ISDN BRI Monitoring 

ISDN Layer 2 debug Commands 

ISDN Layer 3 debug Commands 

ISDN BRI D Channel Monitoring 
ISDN BRI B Channel Monitoring 
PPP on BRI Monitoring 

DDR Configuration Test 


Summary 


Quiz 


Building Cisco Remote Access Networks (BCRAN) v2.1 


Copyright # 2004, Cisco Systems, Inc. 


ISDN BRI Monitoring 


This topic describes the show isdn status command, which is useful when monitoring and 
troubleshooting Layer 1 and Layer 2 of an ISDN BRI configuration. Various commands are 
required to monitor and troubleshoot ISDN BRI and DDR connections. 


ISDN BRI Monitoring 


Router#show isdn statue 


ISDN BRIO interface 


Activated dsl 0 CCBs =1 
CCB:callid=2, sapi=0, ces=1, B-chan=1 
Total Allocated ISDN CCBs = 1 
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Use the show isdn status command to display a status summary of each of the three ISDN 
layers. The command is very useful to determine if Layer 1 and Layer 2 are active and are 
properly communicating with the telco ISDN switch. After this has been verified, you can 
proceed on to higher-level troubleshooting issues such as dialer interfaces, interesting traffic 
definitions, PPP negotiation, and authentication failures. 


The output displayed in the figure is an example of a properly functioning BRI circuit. In this 
example, the correct switch type has been configured and Layer 1 is ACTIVE. The command 
also reports that Layer 2 has been successfully negotiated because it is displaying the TEI and 
the MULTIPLE FRAME ESTABLISHED state. Finally, the output reports that the ISDN 
Layer 3 (end-to-end) is ready to make or receive calls. 
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The following tables show status messages for the Layer | and 2 states, as well as 


troubleshooting tips. 


Layer 1 Status Messages 


Status Description 
ACTIVE There is physical connectivity with the telco ISDN switch. 
DEACTIVATED There is no physical connectivity with the telco ISDN switch. Check 


the following: 

= BRI not shut down (no shutdown) - Is interface up/up? 

m Check cabling 

m External NT-1 required and not connected or operational? 


m Service from telco down 


GOINGDOWN, INIT, TESTING, 
RESET, DELEATED (sic), 
SHUTDOWN, ACTIVATING 
ACTIVE_Errorind 


Most of the Layer 1 states are temporary. Use the clear interface 
bri number command to clear them. If those states persist for 
extended periods, contact the telco for further troubleshooting. 


Layer 2 Status Messages 


Status 


TEl=# 


Description 


Valid TEI number range is 64 to 126. 


MULTIPLE_FRAME_ 
ESTABLISHED 


Indicates there is data-link connectivity to the telco ISDN switch. 
This is the state that you should see under normal operations. Any 
other state usually indicates a problem on the circuit. 


Layer 2 is NOT Activated 


Layer 2 is down. Use the debug q.921 command to help 
troubleshoot. 


TEIASSIGNED 


Indicates that the router has lost connectivity to the switch. Check 
the following: 


m Verify configured switch-type setting 
m= Verify SPID settings, if required 


m Verify with service provider the correct values 


TEI_UNASSIGNED, 
ASSIGN_AWAITING_TEI, 
ESTABLISH_AWAITING_TEI, 
AWAITING_ESTABLISHMENT, 
AWAITING_RELEASE, 
TIMER_RECOVERY 


Most of these Layer 2 states are temporary. Use the clear interface 
bri number command to reestablish connectivity. If those states 
persist for extended periods, use the debug isdn q921 command 
for further troubleshooting. 
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ISDN Layer 2 debug Commands 


This topic describes the debug isdn q921 command, which is useful when monitoring and 
troubleshooting Layer 2 of an ISDN BRI configuration. 


ISDN Layer 2 debug Commands 


Router#debug isdn q921 


* Shows data-link layer messages (Layer 2) on the 
D channel between the access router and the ISDN 
switch 


To monitor Layer 2 problems, use the debug isdn q921 EXEC command. The command 
displays real-time data-link layer (Layer 2) access procedures that are taking place at the access 
router on the D channel (LAPD) of its ISDN interface. This command is useful when you want 
to observe signaling events between the access router and the ISDN switch. 
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ISDN Layer 3 debug Commands 


This topic describes the debug isdn q931 command, which is useful when monitoring and 
troubleshooting Layer 3 of an ISDN BRI configuration. 


ISDN Layer 3 debug Commands 


Router#debug isdn q931 


¢ Shows call setup and teardown of ISDN network 
connections (Layer 3) between the access router and 
the ISDN switch 


To display information about call setup and teardown of ISDN network connections (Layer 3) 
between the local router (user side) and the network, use the debug isdn q931 EXEC 
command. The router tracks activities that occur on the user side only, not the network side of 
the network connection. 


The debug isdn output for q921 and q931 is limited to commands and responses exchanged 
during peer-to-peer communication carried over the D channel. This debug information does 


not include data transmitted over the B channels that are also part of the router ISDN interface. 


Multiple debug commands can be entered concurrently. Results will display in real time as they 
occur, so output may be intermingled. 
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ISDN BRI D Channel Monitoring 


This topic describes the show interface command, which is useful when monitoring an ISDN 


BRI D channel configuration. 


ISDN BRI D Channel Monitoring 
ee 


Branchteahow ioterface bri 0 = — 
“BRIO ix up, line protecsl is up (xpocfing) 

Hardware is ORI 

Intermet address is 10.155.0.1/24 

MoU 1500 bytes, BW 64 Kbit, DLY 20900 usec, rely 255/255, load 1/255 

Encaponlatian PRP, lorcphack not set 

Last anput 09:00:04, cutput never, cutput hang rever 

Last clearing of "show interZace" counters rever 

Teaput quece: O/ 7S/O (saiea/smax/dropa); Total output drops: 0 

Queveang xtreateqy: weaghted =aar 

Output queue: 9/1000/64/0 (size/max total/thresbold/drops) 
Conversationa ©/1/256 (active/max active/max total) 
Resexved Conversatacas 0/0 (allocated/max allocated) 

& minute input rate © bits/sec, 0 packets/sec 

5 minute output rate 0 bits/sec, 0 packets/se: 
$80 peckets inmpot. 3651 bytes, 9 no buffer 
Reaeived 223 broadcasts, 0 rontse, 0 giants, © threttice 
9 Aanput crrore, © CRC, 0 frame, 9 overrun, 5 ignored, 0 abort 
680 packets output, 3497 bytes, 0 umderruns 
O outpet errors, © collisions. 5 interface -esets 
0 outpet buffer failures, © ontput buffers swapped agt 
3 carrier transitions 


Use the show interfaces bri privileged EXEC command without arguments to display 
information about the BRI interface D channel only. 


Command syntax: 


show interfaces bri number[:bchannel] | [first] [last] 


The arguments for the show interfaces bri command are shown in the following table. 


show interfaces bri Command 


Command Description 

Number Interface number. 

:bchannel (Optional) Colon (:) followed by a specific B channel number. 

first (Optional) Specifies the first of the B channels; the value can be either 
1 or 2 for BRI. 

last (Optional) Specifies the last of the B channels; the value can only be 
2 for a BRI. 


The show interfaces bri command displays the first B channel on the BRI. The alternate value 


for this field is 2, which displays information about the second B channel. To display both B 


channels (first and last), enter show interfaces bri number 1 2. 
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If the router is an older platform and is a TE2 (non-native BRI with an external terminal 
adapter), use the show interfaces serial command. 
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Note that in the figure, line protocol is up (spoofing). This does not mean that the B channel is 
active, but that it is pretending, or spoofing, to be up. This is required because routes known 
through this interface would otherwise be removed from the routing table. This permits packets 
to be forwarded to the interface. Whether or not the packets trigger the link depends on the 
dialer list that is configured for the interface. 


The number of resets is not important for ISDN connections. 
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ISDN BRI B Channel Monitoring 
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This topic describes the show interface command, which is useful when monitoring an ISDN 


BRI B channel configuration. 


ISDN BRI B Channel Monitoring 


a On ee) 


RranohFP@sh int bri ¢ 1 2 


MIU 1500 bytes, BW 64 Kbit, DLY 20000 wees, rely 255/255, lod 1/255 


Tast input OO:09:01, suspur 90:90:91, ontmut has sever 
Larmt slearing +f “shew intartaca" sountere sever 
Terot queue C/75/9 (cico/max/dropeds Total cutput drones: 9 
Qucucing oOlrategy: weighted faire 
Oubpet quese: O/ 1000/66/00 (aa ned/mex cated / th rescold/ercea) 
Conversataons 0/1/26 (actave/max active/nax total! 
Reservec Conversations 0/0 (allocatad/max al oeatad} 
5 minute anput cate C bits/sec, 0 packets/sec 
& minute oatpet rate 0 bits/sec, € paokets/eoo 
62 packets anpet, 2044 bytes, © no Suffer 
Dwocews ved 32 Srowdecuvce, UO cunts, © gaumte, 0 theottlev 
© inpet erceorsz, © CRC, © frame, 3 sverrun, 0 iqnored. 0 abort 
®2 packets cutput, 2639 bytes, 9 underrcune 
© output errars, € collisions, 9 interface reets 


© output better tarlures. 


§ parrier trancitions 


(output omitted) 
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Use the show interfaces bri number 1 2 (or sh int) command to display information about the 
B1 and B2 channels. If the command is entered without the parameters 1 and 2, only D channel 


status is shown. 


For information about the DDR configuration or functions used by ISDN, use the show dialer 


and debug dialer commands. 
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PPP on BRI Monitoring 


This topic describes the show interface command, which is useful when monitoring an ISDN 


BRI PPP configuration. 


PPP on BRI Monitoring 


Sranchrtal amt bei O 1 


MTV 1500 bytes, BW €4 Kbat, DLY 20000 useu, cely 255/255, lowd 1/25 


shlatian PPP, csopkack nor saat, keepalive ser (10 sec) 


Last anpat 00: 00°02, oatpet 00:00:02, output hang never 
Tact Mearing of "chow interTase" counters nover 
inpet queue: O775/0 [foise/man/dropo), Total output deepo: 6 
Dawuwang steutegy: weagbted sui> 
Dutpul quewe: Of000/54/0 (aizrea/mex total / thresholdfdiupa) 
Convessalicns 0/1/2565 [aclive/max aclive/uas Lolal) 
Reaerved Canverasationa O0/€ (allocared/mar a) locarad) 
S monute inoct rate 0 bits/sec, U packets/sec 
§ minute ourpurt rate 6 bita/ses, 9 packets/sas 
4> packets input. 1449 byces, 9 no butter 
Reasived 415 braadnazte, O mumte, 0D qiante, © Eheattieas 
0 imput errors, O CRO, O Trame, © overrun, 9 ignored, 0 short 
45 packets output, 1444 bytes, © undercruce 
0 omeper errora, 0 eslitaions, 0 interface resera 


QO culpul bullec LCasluces, 0 culpul bullece snapped cul 


3 carrier transitions 


© 2004 Cisco Systems, Inc. All rights reserved. 


BCRAN v2.1—6-7 


After you have configured for ISDN connectivity, you can check the interface to see evidence 
of your configuration and some of the resulting call setup details. If your router acts as a TEI 
(has a native BRI), use the show interfaces bri EXEC command to monitor the interface and 
optionally, the individual B channels for the BRI interface. 


The command displays information on the encapsulation and channel status for LCP and 
Network Control Protocol (NCP), including the protocols that can transmit over the link. The 
figure displays output for the first B channel of the BRI. It shows that the interface is 
configured for PPP encapsulation, that LCP is Open (currently active), and that NCP is Open 
and has negotiated the protocols IP and Cisco Discovery Protocol (CDP) on the link. 
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DDR Configuration Test 
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This topic describes the debug dialer command and other commands, which are useful when 
troubleshooting a DDR configuration. 


DDR Configuration Test 
a eee 


BeanchPtdebug diales 
BranchF#ping 19.115.0.135 


Type escape sequence to abort. 
Sending 5, 100-byte ICMP Echos =p 10.115.0.125, taneovt is 2 seconds: 


*LIKK-3-" 3 Interface BRIO:2, changed state to uw 

dialer Protocol up fox BRO:2. 

SLINEPROPO-5-UPDOWN: Line protocol on Interface GRI0:2, changed state to 
uplt!! 

Sueresa rate is 89 percent (4/5), round-trip min/avg/mx = 32/34/36 ns 


SISDN-6-CONNECT: Interface BRIO:2 is now connected to 6000 CentralF 


tt 
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The debug dialer command displays debugging information about the packets received on a 
dialer interface. Some of the information indicates whether the multilink is up after 
authentication. 


The debug dialer command also shows when overload occurs. 
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The isdn test call interface and isdn disconnect interface commands are useful when testing 
an ISDN and DDR configuration. 


DDR Configuration Test wen) 


Router#isdn test call interdace interface-number dialing- 
string [64] 


Branch#isdn call interface bri 0 5552001 


* Used to test your DDR configuration 


Router#isdn disconnect interface interface-type interface- 
number {b1 | b2 | all} 


Branch#isdn call interface bri 0 5552001 


* Disconnects any data calls placed manually or 
caused by DDR 
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The isdn test call interface command can be used to test the DDR configuration. Introduced in 
Cisco IOS software Release 12.0(3)T, this command can also be used to verify the dialing 
string and speed without having to know the IP address of the remote router or without 
configuring a dialer map or string. 


Use the isdn disconnect interface command to disconnect any ongoing data calls placed 
manually or caused by DDR. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
ee eer ri Sc OOD na 


* The show isdn status command can display a status 
summary of each of the three ISDN layers. 


* The debug isdn q921 and debug isdn q931 
commands display Layer 2 and Layer 3 debugging 
information. 


¢ The show interface bri command can be used to 
display PPP, B channel, and D channel 
information. 
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Summary (Cont.) 


° The debug dialer command displays debugging 
information about the packets received on a dialer 
interface. 


* To test your DDR connection, use the isdn call 
interface command. 


° To disconnect a call, use the isdn disconnect 
interface command. 
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Next Steps 
For the associated lab exercise, refer to the following section of the course Lab Guide: 


m Lab Exercise 6-1: Using ISDN and DDR to Enhance Remote Connectivity 
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Quiz 
Use the practice items here to review what you learned in this lesson. The correct answers are 


found in the Quiz Answer Key. 


Ql) ~~ Which Cisco router command is used to display data-link layer (Layer 2) access 
procedures that are taking place at the access router on the D channel (LAPD) of its 
ISDN interface? 


A) debug isdn q921 
B) debug isdn q931 
C) debug isdn q920 
D) debug isdn q941 
Q2) Which Cisco router command is used to display network layer (Layer 3) access 


procedures that are taking place at the access router on the D channel (LAPD) of its 
ISDN interface? 


A) debug isdn q921 
B) debug isdn q931 
C) debug isdn q941 
D) debug isdn q951 
Q3) — Which Cisco router command is used to display information about the BRI interface D 
channel only? 
A) show interface serial 0/0 
B) show interface Ethernet 0/0 
C) show interface bri 0 1 


D) show interface bri 0 


Q4) — Which Cisco router command is used to display information about the channel? 
A) show interface serial 0/0 
B) show interface Ethernet 0/0 
C) show interface bri 0 1 
D) show interface bri 0 2 
Q5) After you have configured for ISDN connectivity, you can check the interface to see 
evidence of your configuration. 
A) true 
B) false 
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Q6) The isdn call interface command can be used to verify the 
A) IP address and speed 
B) dialing string and IP address 
C) dialing string and speed 


D) connection 
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Quiz Answer Key 


Ql) A 

Relates to: ISDN Layer 2 debug Commands 
Q2) B 

Relates to: ISDN Layer 3 debug Commands 
Q3) D 

Relates to: ISDN BRI D Channel Monitoring 
Q4) oD 

Relates to: ISDN BRI B Channel Monitoring 
Q5) A 

Relates to: PPP on BRI Monitoring 
Q6) Cc 


Relates to: DDR Configuration Test 
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Module 7 | 


Using DDR Enhancements 


Overview 


This module introduces the configuration of dialer profiles and rotary groups. 


Objectives 


Upon completing this module, you will be able to: 


Outline 


Select appropriate dialup capabilities to place a call 
Configure rotary groups and dialer profiles 


Verify proper configuration and troubleshoot any incorrect configuration to properly 
initiate a call 


Configure and test the use of both ISDN B channels by calling the central and branch sites 
from the SOHO site. 


The module contains these lessons: 


Describing the Dialer Profile 
Configuring Dialer Profiles 
Verifying and Troubleshooting a Dialer Profile Configuration 
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Describing the Dialer Profile 


Overview 


This lesson contains an overview of dialer profiles, which provide improvements over dialer 
maps by separating the logical dialing configuration from the physical interfaces. 


Relevance 


To establish a dialup connection, there must be an understanding of the technology and 
components required, and how to configure them. This lesson provides an overview of dialer 
profile features and concepts. 


Objectives 


Upon completing this lesson, you will be able to: 
m Describe the purpose of a dialer profile 
m= List the four elements of a dialer profile 


m Describe the use of dialer map classes 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 
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Overview 

Dialer Profile 

Dialer Profile Features 
Dialer Profile Elements 
Dialer Map Classes 


Summary 


Quiz 
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Dialer Profile 


This topic identifies the basic concepts of a dialer profile. 


Dialer Profiles Overview 


Remote LAN 
Bridge/Router 


Single-User Client 
with ISDN Card 


Single-User Client 
with ISON BRITA | 
or Modem 


Enhance Dial Flexibility 
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Dialer profiles separate the logical configuration from the interface receiving or making calls. 
Profiles can turn features on or off, and can define encapsulation, access control lists, and 
minimum or maximum calls. 


With dialer profiles, the logical and physical configurations are dynamically bound to each 
other on a per-call basis, which allows physical interfaces to dynamically take on different 
characteristics based on incoming or outgoing call requirements. 


Legacy dial-on-demand routing (DDR), although useful in many scenarios, is restrictive in 
instances where it is desired to differentiate per user by defining different characteristics to 
different users. This cannot be accomplished with legacy DDR. 


Dialer profiles were designed as a new DDR model to allow a user access to a specific profile. 
The profile would determine the characteristics of a particular user, and would be dynamically 
bound to a physical interface for incoming or outgoing DDR calls. 


Note Dialer profiles support PPP, High-Level Data Link Control (HDLC), Frame Relay, or X.25 
encapsulation for inbound or outbound dialing. PPP encapsulation is the recommended 
choice, and the discussion here will focus on PPP. 
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The advantages of dialer profiles over legacy DDR include: 


m There is no requirement for a Layer 3- to Layer 2-map and the added complexities of 
managing multiple maps. Unlike legacy DDR, the dialer profile is a point-to-point 
interface. 

m= Daialer profiles allow you to configure different members of a physical interface with 
different Layer 3 network addresses. 

m= Daialer profiles allow physical interfaces to take on different characteristics that are based 
on incoming or outgoing call requirements. 

m= Dhialer profiles allow a backup interface to be nondedicated and useable when the primary 
interface is operational. 

m= A DDR interface allows you to control the number of minimum and maximum 
connections. 

Note Prior to using dialer profiles, the ISDN bearer (B) channels on a BRI or PRI inherited the 


same physical interface configuration. When used as a backup interface, all B channels were 
down and unusable until the interface came out of backup mode. Dialer profiles solved this 
issue. 
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Dialer Profile Features 


This topic describes the different features of dialer profiles. 


Dialer Profiles Overview 


Physical Interface 


Logical Interface 


Dialer profiles were first introduced in Cisco IOS Software Release 11.2. They help users 
design and deploy complex and scalable circuit-switched internetworks by implementing a new 
DDR model in Cisco routers and access servers. Dialer profiles separate the logical portion of 
DDR (that is, the network layer, encapsulation, and dialer parameters) from the physical 
interface that places or receives calls. 


Dialer profiles address several dialup issues: 


= One configured interface per ISDN interface: Before dialer profiles, all ISDN B 
channels inherited the configuration of the physical interface. 


= Dialer map complexity: Before dialer profiles, one dialer map was required per dialer per 
protocol, making multiprotocol configurations very complex. 


= Limited dial backup: When a BRI or PRI is used to back up an interface, all the B 
channels are down and the entire interface is idle. None of the B channels could be used 
until the interface came out of backup mode. In addition, in a packet-switching 
environment with many virtual circuits that may need to be backed up individually, the 
one-to-one relationship between interfaces and backup interfaces would not scale well. 
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Dialer profiles let you create different configurations for each call on an ISDN interface, 
providing these configuration advantages: 


= Different IP subnets: You can configure each call on the ISDN interface with different IP 
subnets. 


= Different encapsulations: You can use different encapsulations of each call on the ISDN 
interface. However, only PPP and HDLC encapsulation are now supported. 


= Different DDR parameters: You can set different DDR parameters for each call on the 
ISDN interface. 


m= Multiple dialer pools: You can eliminate the waste of ISDN B channels by letting ISDN 
BRI interfaces belong to multiple dialer pools. 


Note Because of changes that were made to dialer profiles, it is recommended that Cisco IOS 
Software Release 12.1 or later be used. 
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Dialer Profile Elements 


This topic describes the elements that make up a dialer profile. 


Dialer Profile Elements 


Dialer Interfaces 


Dialer Poo! 1 Dialer Pool 


Member 1 
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A dialer profile consists of these elements: 


= Dialer interface: A logical entity that uses a per-destination dialer profile. 


—  Allconfiguration settings specific to the destination go into the dialer interface 
configuration. Multiple dialer maps can be specified for the same dialer interface. A 
dialer map can be associated with different per-call parameters that are defined with 
each dialer map class. 


— The dialer interface is configured with the IP address of the destination network, 
encapsulation type, PPP authentication type, dialer remote name (for PPP Challenge 
Handshake Authentication Protocol [CHAP]), dialer string or dialer map, dialer pool 
number, dialer group number, dialer list number, Multilink PPP (MLP), and optional 
dialer Idle-Timeout and dialer inband entries. 


m= Map class: An optional element that defines specific characteristics for a call to a specified 
dial string. 

m= Dialer pool: Each dialer interface references a dialer pool, which is a group of one or more 
physical interfaces associated with a dialer profile. 

m= Physical interfaces: Interfaces in a dialer pool are configured for encapsulation parameters 
and to identify the dialer pools of which the interface is a member. 


—  Channelized T1: Access link operating at 1.544 Mbps that is subdivided into 24 
channels (23 B channels and 1| data (D) channel) of 64 kbps each. The individual 
channels or groups of channels connect to different destinations. It supports DDR, 
Frame Relay, and X.25, and is also called fractional T1. 


Note Dialer profiles support PPP or HDLC encapsulation, PPP authentication (Password 
Authentication Protocol [PAP] or CHAP), and MLP. 
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Dialer Map Classes 


This topic describes dialer map classes. 


Dialer Map Classes 


Dialer interfaces Map Classes 
(Optional) 


Eng 


ee 


Market 
dialer Idie-Timeout 300 
| dialer isdn speed 64 


Finance 
dialer isdn speed 64 


Map classes supply configuration parameters to 
dialer interfaces 


inc. All rights reserved. 


Map classes are optional. They are used to specify different characteristics for different types of 
calls on a per-destination basis. 


In the figure shown, three map classes are used with the dialer interfaces. The telephone 
number being called determines which map class to use. A different map class might be used if 
a different number is called. 


The same map class can be used for multiple dialer interfaces. The configuration parameters of 
a map class are specific to one or more destinations. 


As an example, the map class for one destination might specify an ISDN speed of 64 kbps, 
while a map class for a different destination might specify an ISDN semipermanent connection. 
The dialer map class can also contain optional dialer timing parameters including dialer fast- 
idle, dialer idle-timeout, and dialer wait-for-carrier-time. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
ee) a SINU P | 


Dialer profile elements include: 
* Dialer interface 
¢ Dialer pool 


* Physical interfaces 


¢ Optional dialer map-class 
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Quiz 
Use the practice items here to review what you learned in this lesson. The correct answers are 


found in the Quiz Answer Key. 


Ql) Which Cisco router feature was designed as a new DDR model to allow a user access 
to a specific profile? 


A) dialer calls 
B) dialer maps 
C) dialer profiles 
D) dialer groups 
Q2) Which Cisco router feature separates the logical portion of DDR (for example, the 


network layer, encapsulation, and dialer parameters) from the physical interface that 
places or receives calls? 


A) dialer groups 
B) dialer calls 
C) dialer maps 
D) dialer profiles 
Q3) Which element of the dialer profile is a logical entity that uses a per-destination dialer 
profile? 
A) a dialer interface 
B) the dialer map class 
C) a dialer pool 
D) physical interfaces 
Q4) — Which optional Cisco dialer map router feature is used to specify different 
characteristics for different types of calls on a per-destination basis? 
A) map rooms 
B) map profiles 
C) map classes 


D) map calls 
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Quiz Answer Key 


Ql) Cc 
Relates to: 
Q2) D 
Relates to: 
Q3) A 
Relates to: 
Q4) Cc 
Relates to: 
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Dialer Profile 


Dialer Profile Features 


Dialer Profile Elements 


Dialer Map Classes 
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Configuring Dialer Profiles 


Overview 


This lesson covers dialer profile configuration and how it relates the logical configuration to the 
physical interface. 


Relevance 


To establish dialup connections using dialer profiles, you must understand the steps to 
configure a dialer profile. 


Objectives 
Upon completing this lesson, you will be able to: 
= Configure physical interfaces to operate with dialer profiles 
m™ Create multiple dialer profiles 
™ Configure dialer interfaces to be used in a dialer profile 


m™ Customize a dialer profile for the dialup connection 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 


Overview 

Dialer Profile Configuration Concepts and Commands 
Typical Dialer Profile Application 

Configuration of Dialer Interfaces 

Configuration of Physical Interfaces 

Dialer Profiles Configuration Example 

Summary 


Quiz 
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Dialer Profile Configuration Concepts and 
Commands 


This topic describes the basic configuration steps for a dialer profile. 


Dialer Profile Configuration Concepts and 
Commands 


M 
Dialer Cams 


Interface (optional) 


Physical Interface Dialer Pool 
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The configuration commands that create the relationships between the elements of a dialer 
profile are displayed in the figure. The commands and the configuration mode in which they 
are used are described in the following table. 


Dialer Profile Configuration Commands 


Command Description 


dialer string A dialer interface command that specifies the telephone number of the 
number class destination. The use of the optional keyword class, followed by the map class 
map class-name | name, points to a specific map class and uses the configuration commands of 
that map class in the call. 


dialer pool A dialer interface command that specifies the pool of physical interfaces 
number available to reach the destination subnetwork. A number between 1 and 255 
identifies the pool. 


dialer pool- An interface configuration command that associates and places a physical 
member number interface in a specifically numbered pool. A physical interface can belong to 
multiple dialer pools. Contention for a specific physical interface is resolved 
with a configured priority, which is optional. 


Note When you use the dialer pool command to configure a dialer interface, you create a dialer 
profile. You must use the dialer string command to allow the router to dial out. 
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Typical Dialer Profile Application 


This topic describes an example of a dialer profile application. 


Typical Dialer Profile Application 


Dialer Interface 1 i Dialer Interface 2 


10.14.14 10221 


The configuration displayed in this figure provides an example of a typical application of dialer 
profiles. Network RouterA has dialer interface | for DDR with subnetwork 10.1.1.0, and dialer 
interface 2 for DDR with subnetwork 10.2.2.0. 


Calls destined for subnetwork 10.1.1.0, and any of the networks reachable through it (networks 
3, 4, and 5), use dialer interface 1. 


Calls destined for subnetwork 10.2.2.0, and any of the networks reachable through it (networks 
6, 7, and 8), use dialer interface 2. 
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Configuration of Dialer Interfaces 


This topic describes the configuration of multiple dialer profiles. 


Configuration of Dialer Interfaces 
| ee Fae 


interface diszlcri 

ap s«dcirexx 10.1.1.1 
255.255.255.0 

encapsulation prp 

dialer remote-name amalluser 
dialer string 5554540 

dialer pool 0 

dialter-geoup i 

PPP suthentication ohap 

Ppp multilink 

! 
anterftace dialer? 

ip address 10.2.2.1 

258. 255.255.0 

encapsulation pop 

dialer remeote-name medicmuser 


damier atrang 5551254 cisas Org 
dialer load-threshold 50 either 


dialer pool i 
dialer-qroup ‘| 
ppp multilink 


(cont.)} 


interface dialer} 
ip address 10.3.3,1 255,258 255.0 
encapoulatian ppp 
dialer semle-nape powerusec 
dialer etring 415505321 clase Eng 


dialer hold-qeve 10 
daxlmr idle tiner 9999 


daalexr pool 2 
dialerc-grow 1 
Ppp mulsilink 
1 


map~ class dialer Eng 
daxler ixcn upend 56 


dialec-list 1 protcool I? paxmt 
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To configure dialer profiles, perform these tasks: 


1, 
2. 


Any number of dialer interfaces can be configured on a router. Each dialer interface is the 


Configure one or more dialer interfaces. 


Configure a dialer string and optionally a dialer map class to specify different 


characteristics on a per-call basis. 


Configure the physical interfaces and attach them to a dialer pool. 


complete configuration for a destination. The interface dialer global command creates a dialer 
interface and enters interface configuration mode. 
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The figure displays dialer profiles that are created using the commands listed in the table. 


interface dialer Command 


Command 


ip address address mask 


Description 


Specifies the IP address and mask of the destination 
network. 


dialer remote-name name 


Specifies the remote router name, which is passed for 
CHAP authentication. 


dialer string string class 
map class-name 


Defines the destination of the router telephone number, 
and supports optional map classes. Map classes are 
covered in the next table. 


dialer load-threshold load 
[outbound | inbound | 
either] 


Specifies at what traffic load additional links will be 
brought up for MLP. Valid values are 1 to 255. Optionally, 
you may specify which direction of traffic is used to 
calculate the actual load. If you want the links to remain in 
a MLP bundle indefinitely, use a very high dialer Idle- 
Timeout value (9999, for example) instead of a dialer 
load-threshold. 


dialer hold-queue number- 
of-packets 


Specifies the length of the queue for packets that are 
waiting for the line to come up. Valid values are from 0 to 
100. 


dialer pool number 


Binds a dialer interface to a dialer pool configured with the 
dialer remote-name command that gives the CHAP 
username for a remote user. Valid values are from 1 to 
255. 


dialer-group group-number 


Specifies a dialer list that defines “interesting” packets to 
trigger a call for DDR. The dialer-list command can 
reference access lists to more specifically define 
“interesting” packets. Valid values are from 1 to 10. 


ppp multilink 


Specifies that this dialer interface uses MLP. This 
command is placed on the physical interface for incoming 
calls, in the dialer profile for outgoing calls, and on both 
the interface and dialer profile when incoming and 
outgoing calls are expected. 


dialer-list group-number 


Associates a DDR dialer list for dialing by protocol or by a 
combination of protocols and a previously defined access- 
list. 


After the interface is configured, an optional dialer map class can be defined. Use the map- 
class dialer class-name command to specify a map class and enter the map class configuration 
mode. In the figure, the dialer “interface dialer3” is associated with map class “Eng.” Any 
dialer associated with this map class will set the ISDN line speed to 56 kbps. You can set the 
speed to 56 kbps, but 64 kbps is the default value. 
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The following table shows other map-class commands that are available in map class 
configuration mode. 


map-class Commands 


Command Description 


dialer isdn [speed | Specifies the ISDN line speed. The default is 64 kbps; therefore, the 

56 | spel parameter is used only with 56-kbps line speed. [spc] is used for 
specifying that an ISDN semipermanent connection will be used for calls 
associated with this map. 


dialer idle- Specifies the idle timer values to use for the call. This timer disconnects 

timeout seconds the call if there has been no data for the specified time. Defaults to 120 
seconds. 

dialer fast-idle Specifies the fast-idle timer value to use for a call. This timer specifies a 

seconds quick disconnect time if there is another call waiting for the same 


interface and the interface is idle. The waiting call will not have to wait for 
the idle timer to expire. Defaults to 20 seconds. 


dialer wait-for- Specifies the Carrier Detect (CD) time value to use for the call. The call 
carrier-time is abandoned if no carrier is detected within the time value specified. 
seconds 
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Configuration of Physical Interfaces 


anterface brid/o 

encapsulation ppp 

dialer pool-member 0 priority 
Ppp authentication chap 

Prep multilink 

t 
interface brid/1l 

encaprulation prp 

dialer pocl~member i pricrity 
PrP authentication chap 

Ppp multilink 

! 
interface $1/0:23 


encapsulation ppp 

dialer pool-member 0 priority 
Gialer poocl-member 1 pricrity 
dialer pool-member 2 pricrity 
Ppp authentication chap 

Ppp moltilink 


isco Systems, Inc. All rights reserved. 


This topic describes the steps that are needed to configure the physical interfaces used by the 
dialer profiles. 


"The higher the priority number assigned, the higher the priority given. 
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Use the dialer pool-member command to assign a physical interface to a dialer pool. An 
interface can be assigned to multiple dialer pools by using this command to specify several 
dialer pool numbers. A combination of synchronous, serial, BRI, or PRI interfaces can be 
assigned with dialer pools. 


Use the priority option of this command to set the interface priority within a dialer pool. The 
priority keyword is used only when dialing out. 
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The following table shows the arguments that are used with the dialer pool-member 
command. 


dialer pool-member Command 


Command Description 
number Specifies the dialer pool number. This is a decimal value from 1 to 255. 
priority Sets the priority of the physical interface within the dialer pool. This is a decimal 
priority value from 1 (lowest) to 255 (highest). Interfaces with the highest priority number 
number are selected first when dialing out. Use this to determine which interfaces are 
used the most, or which are reserved for special pool uses. 

min-link Sets the minimum number of ISDN B channels on an interface reserved for this 
ninimum dialer pool. This is a number from 1 to 255 (used for dialer backup). 
max-link Sets the maximum number of ISDN B channels on an interface that can be used 
maximum for this dialer pool. This is a number from 1 to 255. 

Note The optional min-link and max-link apply to ISDN interfaces only. The max-link defaults to 


255, and the min-link defaults to 0. A reserved channel is inactive until it is used by the 
specified interface. 
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Dialer Profiles Configuration Example 


This topic describes an example configuration of two dialer profiles. 
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Dialer Profiles 


Configuration Example 
eee OE 


interface dialerd 
ap unnumberncd LoophackO 
encapsulation ppp 
dialer remote-name RouterA 
dialer pool 1 
dialer etring 5551212 
dialer-group 1 
Pep multilink 
1 
interface dialerl 
ip unnumbered loopback0 
onaapsulabaon ppp 
chaler remote-name Routers 
dialer pool 1 
cialer string 5551234 
dialer-group 1 
ppp multalank (cont. } 


interfaces brid 
encapsulation ppp 
chaler pool-menber 1 
pre authentication chap 
Pre multilink 

' 

interface seriald 
ip unnumbered loopbsckO 
backup interface dialerd 
backup delay 5 10 

! 

intarfacs seriall 
ip unmunbered loophackd 


backup interface dislerl 
backup dalay 5 19 
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The dialer interfaces are visible to the upper-layer protocols only, not to the physical interfaces 
making up the dialing pool. Because one dialer interface maps to one destination, addressing, 
access lists, and static routes can be specified on a per-destination basis, regardless of which 
interface actually carries out the call. 


Dialer commands can be configured under the dialer interface directly. The same command 
may appear more than once, possibly with different parameters. The order of precedence is as 
follows (from highest to lowest): 


m Map class parameters 


m= Interface parameters 


Note 


Refer to the “Configuring Dialer Interfaces” figure earlier in this lesson for examples of the 


use and syntax for the map-class command. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
EE eee 


* Dialer profiles allow logical and physical 
configurations to be dynamically bound to each 
other on a per-call basis. 


* Basic configuration of an interface dialer includes 
dialer string, dialer pool, dialer-group, 
encapsulation, and logical address. 


* Physical interfaces are assigned via the 
dialer pool-member command. 
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Quiz 
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Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


Q5) 


Which interface configuration command associates and places a physical interface in a 


specifically numbered pool? 


A) dialer pool-member number 

B) dialer pool number 

C) dialer string number class map class-name 
D) dialer interface 


Which dialer interface command specifies the phone number of the destination? 


A) dialer interface 

B) dialer string number class map class-name 
C) dialer pool number 

D) dialer pool-member number 


Which Cisco router global command creates a dialer interface and enters interface 
configuration mode? 


A) interface caller 
B) interface group 
C) interface dialer 


D) interface port 


Which Cisco router command is used to assign a physical interface to a dialer pool? 


A) dialer pool-member 
B) pool-dialer member 
C) dialer member-pool 


D) pool member-dial 


At which Cisco router configuration level are dialer profile commands configured? 
A) under the serial interface directly 

B) under the dialer interface directly 

C) under the Ethernet interface directly 

D) under the BRI interface directly 
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Quiz Answer Key 


Ql) A 
Relates to: 
Q2)  B 
Relates to: 
Q3) Cc 
Relates to: 
Q4) A 
Relates to: 
Q5)  B 
Relates to: 
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Dialer Profile Configuration Concepts and Commands 


Typical Dialer Profile Application 


Configuration of Dialer Interfaces 


Configuration of Physical Interfaces 


Dialer Profiles Configuration Example 


Using DDR Enhancements 
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Verifying and Troubleshooting 
a Dialer Profile Configuration 


Overview 


This lesson covers the commands that are used to verify and troubleshoot a dialer profile 
configuration. 


Relevance 


To verify and troubleshoot the operation of a dialup connection using dialer profiles, you must 
understand the show and debug commands. 


Objectives 
Upon completing this lesson, you will be able to: 
m Describe the output from the show dialer command 
m= Describe the output from the show interfaces dialer command 
m™ Describe the output from the debug dialer command 
= Troubleshoot unsuccessful outgoing calls 


= Troubleshoot unsuccessful incoming calls 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Jnterconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 


Building Cisco Remote Access Networks (BCRAN) v2.1 


Overview 

Verification of Dialer Profiles 
Outbound Dialing Issues 
Outbound Binding Issues 
Examples 

Inbound Call Issues 
Disconnect Issues 


Summary 


Quiz 
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Verification of Dialer Profiles 


This topic describes the show dialer interface and the show dialer interface commands. 


Verification of Dialer Profiles 


NAS Meahow danler intertacs aril 


Dial &tring Encoassan Pailures Last. called tant statuna 
5553972 6 3 1S secs Successful 
O incoming call(s) have been screened. 

BRIC; BeChannel 1 

Idle timer (120 secs). Fast idle timer (20 secal 

¥. 9 erier 0 Ro-cnable 


R 5 seco 


Time wntil disconnect 102 secs 


Curcentl wall commescled 00:09:19 
Connected te SSS38/%2 («xyxtect) 


BRIC; B-Channel 2 

Tdle timer (120 saca). Fast idle tamar (20 sera} 
Wait for carrier (30 secs}, HKe-enable (15 secs) 
Dialer state is idle 
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The show dialer interface bri number command displays information in the same format as 
the legacy DDR statistics on incoming and outgoing calls. 


In the figure, the message “Dialer state is data link layer up” suggests that the dialer came up 
properly. 


If the message “physical layer up” is displayed, it means that the line protocol came up but the 
Network Control Protocol (NCP) did not. 


In the figure, “Dial reason” refers to the source and destination addresses of the packet that 
initiated the dialing. 
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Verification of Dialer Profiles ont) 


BReontert show sntecfeces diwlewsl 
Hardware a2 Unknown 
Internnt address is 1.1.1.1/24 
MT 1500 bytes, BW 64 Kbit, DLY 20000 usem, mly 255/258, load 1/255 
loopback not set 
DIR is pulsed for 1 seconds on reset 


aat input : : , Sttputl never, cutput hang never 
Last olearing of "show interZace" countere 00°95°36 


< Outpot Omitted > 


Nardware Ty mRr 
MI 1500 bytes, BW 64 Khit, DEY 20900 usame, =ely 255/255, load 1/255 
Encapsulation PPP, loopback not eet eepalive not set 


7 


< Outpot Omitted > 
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The show interface dialer command displays information on incoming and outgoing calls. 


In the figure, the messages “Dialer1 is up, line protocol is up” and “BRIO:1 is up, line protocol 
is up” suggest that the dialer came up properly. 


The message “Interface is bound to BRIO:1” informs you that this dialer is bound to the 1 B 
channel. 


You also know that BRIO:1 is active and that the PPP encapsulation has been applied by the 
dialer interface. 
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Outbound Dialing Issues 


This topic describes the use of the debug dialer command. 


Outbound Dialing Issues: Dialing Never 


Occurs 
ee a OO | 


Router? debug diales 

Routerct 

Router#¥ping 10.1.1. 

Type cseape sequence to abort. 

Semiing 5, 100-byte ICMP Echos to 10.1.1.1, timeout ie 2 seconds: 

Mar 1 00:24:47,242: BRO DDR: rotor dialoct [priority] 

*Mar 1 00:24:47,280: BRO DMR: Dialing canse ip (95197 168.1,%, d610.1,1,1) 


“Mar lL 00:24:47.250; BRO DOR Att q to dial 551221 


As is the case with legacy DDR, the most appropriate command for debugging dialer profile 
problems is debug dialer. In the case of a successful call, the debug will not indicate any more 
than the logged messages already have indicated. In the case of a failure, there are a number of 
problems that can be the cause. 


Enable debug dialer and generate interesting traffic to the peer. The router should attempt to 
dial. In the figure, dialing is attempted but never occurs. 


The following is an example output: 


Router# debug dialer 

Router# ping 10.1.1.1 

Try escape sequence to abort. 

Sending 5, 100 byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: 
*Oct 1 00:24:47.242: BRO DDR: rotor dialout [priority] 


*Oct 1 00:24:47.250: BRO DDR: Dialing cause ip (s=192.168.1.1, 
d=10.1.1.1) 
*Oct 1 00:24:47.250: BRO DDR: Attempting to dial 5551111 


Verify if debug dialer generates any debug output. If there is no debug dialer output, it is most 
likely because the IP packet being sent is not routed to the dialer interface, or binding fails. 


Copyright © 2004, Cisco Systems, Inc. Using DDR Enhancements 7-33 


Outbound Binding Issues 


This topic describes troubleshooting for unsuccessful outgoing calls. 


Outbound Binding Issues: 
Dialing Never Occurs 


Router# *Mar 1 07:20:45.676: Di1l5: Cannot place call, no dialer pool set 


¢ Configure the dialer pool command on the dialer 
interface. 


Router# *Mar 1 11:54:14.937: Di1l5: No free dialer - starting fast idle timer 


° Enter the dialer pool-member command on the 
physical interface to associate it to the dialer pool. 


If the dialer profile is not associated with a dialer pool, debug dialer will indicate the following 
for an outbound call: 


*Mar 1 07:20:45.676: Dil5: Cannot place call, no dialer pool 
set 


The solution is to configure the dialer pool command on the dialer interface. 


If the physical interface is not associated with any pool, the debug message on the calling router 
will be the same as in the case where physical interfaces are no longer available, causing the 
fast idle timer to trigger: 


*Mar 1 11:54:14.937: Dil5: No free dialer - starting fast idle 
timer 


The solution is to enter the dialer pool-member command on the physical interface to 
associate it to a dialer pool. 
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After you have verified that the dialer pool configuration is correct, perform the following 
tasks: 


m Verify that IP is configured on the dialer interface. You should either have an IP address on 
the interface or ip unnumbered type number (where type number is another interface on 
which the router has an assigned IP address) or ip address negotiated. 


m Check whether the command ip routing is configured. When you look at your 
configuration using the show running-config command, you should not see the command 
no ip routing configured. 


m= Ensure that there is a static route pointing at the dialer interface. The following example is 
a Static route for 172.22.53.0/24 with next-hop dialer 1: 
Router (config)#ip route 172.22.53.0 255.255.255.0 dialer 1 


m™ Verify that the dialer interface is not in shutdown state. Use the show interface dialer 
interface command to verify that the interface is up/up or check to see if no shutdown 
exists under the dialer interface configuration. 
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Examples 


This topic describes examples of troubleshooting when dialing does not occur. 


Examples 


° No dialer-group configured on the dialer interface 


No dialer-group defined 


¢ Dialer-list does not exist 


dialer-list 1 not defined 


* No physical interface available to make the call 


No free dialer 
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Another scenario occurs when there is debug output, but there is no “Attempting to Dial” 
message generated. In this case, there is probably an IP packet routed to the interface, but the 
router discards it and does not initiate the call for some reason. Look at the debug dialer output 
to find out why the call attempt is not made. 


The following are examples of output generated by the debug dialer command. The examples 
focus on specific problems followed by possible solutions. 


Example 1 


*Mar 1 00:07:22.255: Dil DDR: ip (s=10.1.0.1, 
d=192.168.201.1), 


100 bytes, outgoing uninteresting (no dialer-group defined). 


There is no dialer-group configured on the dialer interface. Add a dialer-group as in this 
example: 


interface Dialerl 


dialer-group 1 
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Example 2 


*Mar 1 00:08:24.919: Dil DDR: ip (s=10.1.0.1, 
d=192.168.201.1), 


100 bytes, outgoing uninteresting (dialer-list 1 not 
defined). 


There is a dialer group statement on the dialer interface, but the dialer list referred to does not 
exist. Configure the dialer list as in this example: 


dialer-list group-number protocol ip permit 


Note The value for group-number of the dialer-group command must match dialer-group-number 
of the dialer-list command. For example, the number 1 in dialer-group 1 matches 
dialer-list 1. 


Example 3 


*Mar 1 00:25:32.551: Dil DDR: ip (s=10.1.0.1, 
d=192.168.201.1), 


100 bytes, outgoing interesting (ip PERMIT) 
*Mar 1 00:25:32.555: Dil DDR: No free dialer - starting fast 
idle timer. 


In this case, the outgoing packet is considered interesting enough to bring up the link, but there 
is no physical interface available to place the call. Make sure that dialer pool-member number 
is configured in the physical interface and dialer pool number is configured in the dialer 
interface. For example: 


interface BRIO 
dialer pool-member 1 
! 

interface Dialerl 
dialer pool 1 


Also, verify that the physical interface is not in shutdown state. Use the no shutdown 
command on the physical interface. 


Example 4 


*Mar 1 00:37:24.235: Dil DDR: ip (s=10.1.0.1, 
d=192.168.201.1), 


100 bytes, outgoing interesting (ip PERMIT) 


*Mar 1 00:37:24.239: Dil DDR: Cannot place call, no dialer 
string set. 


In this case, no dialer string dial-string is configured on the dialer interface. The router wants 
to place a call but does not know the number to call. Define a dialer string: 


interface Dialerl 


dialer string 8134 
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Inbound Call Issues 


This topic describes troubleshooting for unsuccessful incoming calls. 


Inbound Call Issues 


¢ Check configured dialer pool on dialer interface. 
* Check authentication on the physical interface. 
° Check remote dialer name on the dialer interface. 


When incoming calls fail to connect with a dialer profile, there may a problem with binding the 
physical interface to the dialer interface for that call. Verify that the router meets one of the 
conditions for binding. 


Follow these steps: 


Step 1 If the dialer profile is not associated with a dialer pool, debug dialer will indicate 
the following for an inbound call: 


*Mar 1 11:51:24.873: BRIO:1: Authenticated host Branch with no 
matching dialer profile 


Solution: Configure the dialer pool command on the dialer interface. 


Step 2 There are four attempts to bind. Assuming that you have more than one dialer 
profile, the calling line identification (CLID) and dialed number identification 
service (DNIS) bind attempt fails, and PPP authentication is not configured 
(preempting the possibility of the fourth test), then the following debug dialer 
message will be generated on the called router: 


*Mar 1 11:59:36.521: ISDN BRO:1: Incoming call rejected, 
unbindable 


Solution: Configure ppp authentication chap | pap [callin] on the physical 
interface. 
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Step 3 If PPP authentication is enabled on the physical interface, then the fourth attempt to 
bind will proceed. The router will use the authenticated username in an attempt to 
bind to one of the dialer interfaces in the dialer pool. If that attempt fails, you will 
see the following debug output on the called router. 


*Mar 1 12:03:32.227: BRIO:1: Authenticated host Branch with no 
matching dialer profile 


Solution: Configure the dialer remote-name command on the dialer interface. The 
name specified must exactly match the username provided by the remote router for 
authentication. In this example, the authenticated username is “Branch.” 
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Disconnect Issues 


This topic describes troubleshooting for calls that are unexpectedly disconnected. 


Disconnect Issues 
N,N 


¢ Check dialer Idle-Timeout values. 
* Check interesting traffic definition (ACL). 


router#debug dialer packet 


A common problem affecting dialup links is unexpected call drops. Dialer drops are calls that 
are disconnected prematurely, or calls that never disconnect. There are many reasons for this, 
including hardware failures and telco issues. However, one of the most common causes for 
unexpected call drops is the expiration of the Idle-Timeout. 


Another common Idle-Timeout problem occurs when the link does not disconnect because the 
Idle-Timeout never expires. This situation can result in high toll charges for connections that 
are charged, based on the time that the call is connected. 


If the call disconnects unexpectedly, or the call never disconnects, check the dialer Idle- 
Timeout and interesting traffic definition. Use the debug dialer packet command to see if a 
particular packet is interesting or not. For example: 


Apr 26 01:57:24.483: Dil DDR: ip (s=192.168.1.1, d=224.0.0.5), 
64 bytes, 


outgoing uninteresting (list 101) 


Apr 26 01:57:26.225: Dil DDR: ip (s=192.168.1.1, d=10.1.1.1), 
100 bytes, 


outgoing interesting (list 101) 


In the last example, Open Shortest Path First (OSPF) hellos are uninteresting per access-list 
101, while the second packet is interesting per access-list 101. 


Adjust the dialer idle-timeout in the dialer interface configuration. The default is 120 seconds, 
but you may wish to raise or lower this value depending on your needs. 
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Change the interesting traffic definition (configured with the dialer-list command). If the call 
disconnects prematurely, you may wish to define the interesting traffic more loosely. If the call 
never disconnects, change your interesting traffic definition to be more restrictive. For example, 
you can define routing protocol traffic as uninteresting. The following is a sample interesting 
traffic definition: 

access-list 101 remark Interesting traffic for dialer-list 1 

access-list 101 deny ospf any any 

!--- mark OSPF as uninteresting. This will prevent OSPF hellos 

!--- from keeping the link up. 

access-list 101 deny udp any any eq ntp 

!--- Define ntp traffic as NOT interesting. 

!--- This will prevent periodic ntp traffic from keeping the 

!--- link up indefinitely. 

access-list 101 permit ip any any 


!--- All other IP traffic is interesting. Change this 
depending on your traffic needs. 


dialer-list 1 protocol ip list 101 


The following symptoms may indicate issues related to the Idle-Timeout: 
m™ Calls get disconnected every 120 seconds after the connection is established. 


This disconnection is normally due to the default Idle-Timeout of 120 seconds being 
enabled, while the interesting traffic definition is either not defined or is not applied to the 
interface. Although the dialer in-band command enables a default Idle-Timeout of 120 
seconds on the interface, this value does not appear in the show running-configuration 
output. Because the default Idle-Timeout is not visible, a 120-second disconnect is often 
misdiagnosed. 


™ Calls get disconnected every x minutes after the connection is established. 


This disconnection occurs because the Idle-Timeout is being configured (using the dialer 
idle-timeout command), while the interesting traffic definition is either not defined or is 
not applied to the interface. 


m™ Calls disconnect prematurely. This problem is probably due to a low dialer Idle-Timeout 
value, or a restrictive interesting traffic definition. 


™ Calls do not disconnect. This problem is probably caused by a high dialer Idle-Timeout 
value, combined with a loose interesting traffic definition. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
Se | 


° The show dialer and show interface dialer commands 
are useful when verifying proper operation of a 
dialer profile. 


° The debug dialer command is useful when 
troubleshooting dialer profile functionality. 


Next Steps 
For the associated lab exercise, refer to the following section of the course Lab Guide: 


m Lab Exercise 7-1: Using Dialer Profiles to Enhance DDR 
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Quiz 
Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) — Which Cisco router command displays information on incoming and outgoing calls? 


A) show interface dialer 
B) show dialer ver 

C) show dialer mem 

D) show dialer calls 


Q2) What is the most appropriate command for debugging dialer profile problems? 
A) show dialer 
B) debug dialer 
C) show calls 
D) debug calls 


Q3) When debug dialer output indicates that the dialer profile is not associated with a dialer 
pool, which of the following is the most appropriate solution? 


A) enter the dialer pool-member command on the physical interface to associate 
it with a dialer pool 

B) configure the dialer call command on the dialer interface 

C) configure the dialer pool command on the dialer interface 

D) configure the dialer group command on the dialer interface 


Q4) — When you have a problem or error message such as “no dialer group configured on the 
dialer interface,” what is most likely the problem? 


A) No dialer string is set. 

B) There is no free dialer. 

C) No dialer group has been defined. 
D) There is no dialer list. 


Q5) | How many attempts are made to bind the physical interface with the dialer interface for 


that call? 
A) 2 
B) 3 
C) 4 
D) = 
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Q6) | Acommon issue affecting dialup links is unexpected call drops. Which command is 
most appropriate to use to see if a particular packet is interesting or not when calls are 
disconnected prematurely (or when they never disconnect)? 


A) debug dialer packet 


B) show run 
C) erase start 
D) reload 
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Quiz Answer Key 


Ql) 


Q3) 


Q4) 


Q5) 


Q6) 


A 


Relates to: 


B 


Relates to: 


Cc 


Relates to: 


Cc 


Relates to: 


Cc 


Relates to: 


A 


Relates to: 
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Verification of Dialer Profiles 


Outbound Dialing Issues 


Outbound Binding Issues 


Examples 


Inbound Call Issues 


Disconnect Issues 


Using DDR Enhancements 


7-45 
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Module 8 | 


Configuring Frame Relay with 
Traffic Shaping 


Overview 


This module reviews Frame Relay operation and configuration. It also covers traffic shaping. 
You will learn how to configure Frame Relay traffic shaping (FRTS) on a Cisco router. 


Objectives 


Upon completing this module, you will be able to: 


Outline 


Configure Frame Relay so that two sites can exchange data 


Configure the subinterfaces on each virtual interface to solve a reachability problem caused 
by split horizon 


Configure FRTS 


Verify proper configuration and troubleshoot an incorrect configuration so data travels as 
intended across the Frame Relay link 


The module contains these lessons: 


Reviewing Frame Relay 

Configuring Frame Relay 

Verifying Frame Relay Configuration 
Configuring Frame Relay Subinterfaces 
Identifying Frame Relay Traffic Shaping Features 
Configuring Frame Relay Traffic Shaping 
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Reviewing Frame Relay 


Overview 


This lesson provides an overview of Frame Relay features and operation. 


Relevance 


To establish a Frame Relay connection, there must be an understanding of the technology and 
components required, and how to configure them. 


Objectives 
Upon completing this lesson, you will be able to: 
m™ Describe the basic features of Frame Relay 
m™ Describe how Frame Relay connections operate over VCs 


m Explain the function of the LMI and how it operates 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the /ntroduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 


8-4 


This lesson includes these topics: 


Overview 

Frame Relay Overview 
Frame Relay Operation 
Frame Relay Signaling 


Summary 


Quiz 
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Frame Relay Overview 


This topic provides an overview of Frame Relay concepts and features. Frame Relay is an 
important and popular WAN connection standard. 


Frame Relay Overview 


DCE or Frame 
Relay Switches 


DTE or 


a 


(Token) UNI 
\Ring / User-Network Interface 


¢ Virtual circuits make connections 
* Connection-oriented service 


Frame Relay is an International Telecommunication Union Telecommunication Standardization 
Sector (ITU-T) and American National Standards Institute (ANSI) standard. Frame Relay 
defines the process for sending data over a public data network (PDN). As a next-generation 
protocol to X.25, it is a connection-oriented data-link technology that is streamlined to provide 
high performance and efficiency. Frame Relay relies on upper-layer protocols for error 
correction and more dependable fiber and digital networks. 


The connection between the customer and the service provider is known as the User-Network 
Interface (UNI). The Network-to-Network Interface (NNIJ) is used to describe how different 
Frame Relay service provider networks connect to each other. ATM is the technology 
commonly used within the network of the service provider to carry Frame Relay data. 
However, regardless of the technology that is used inside the cloud, the connection between the 
customer and the Frame Relay service provider is still Frame Relay. 


Note that Frame Relay defines the interconnection process between the customer premises 
equipment (CPE, also known as DTE), such as a router, and the local access switching 
equipment of the service provider (known as DCE). Frame Relay does not define how the data 
is transmitted within the Frame Relay cloud of the service provider. 
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Frame Relay Operation 


8-6 


This topic describes the operation of Frame Relay. Frame Relay connections operate over 
virtual circuits (VCs). Each VC is identified by a data-link connection identifier (DLCI) that is 
mapped to an IP address. 


Frame Relay Operation 


PVC using DLC! 500 


DLCi=500 


os |) 


IP | 
| (10.4.1.4) 


° Get locally significant DLSIs from your Frame 
Relay provider 


¢ Map your network addresses to DLCls 
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Frame Relay provides a means for statistically multiplexing many logical data conversations— 
or VCs—over a single physical transmission link. Frame Relay assigns connection identifiers to 
each pair of DTE devices. The switching equipment of the service provider constructs a table 
that maps connection identifiers to outbound ports. When a frame is received, the switching 
device analyzes the connection identifier and delivers the frame to the preestablished, 
associated outbound port. The association of a connection identifier to an outbound port is 
established when the VC is created, and occurs before any data is transferred across the link. 


Frame Relay networks are known as nonbroadcast multiaccess (NBMA) networks. Multiaccess 
means that a customer with a single connection to the Frame Relay network (cloud) has the 
ability to communicate with any other customer remote network. This communication remains 
as long as the customer is connected to the same Frame Relay network of the provider. A single 
connection to a Frame Relay network of the provider is likely to be much less expensive than 
separate leased lines to each remote site, particularly where long distances exist between sites. 


The service provider must set up a VC between these sites within the Frame Relay network so 
that any two sites that are connected to the same Frame Relay network are able to 
communicate. Service providers typically charge for each VC. With a full-mesh topology, this 
could be expensive, depending upon the number of circuits needed. Many enterprises use hub- 
and-spoke topology, with VCs between a central site and each of the branch offices. In this 
configuration, the traffic must pass through the central site in order for two branch offices to 
reach each other. 
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The VCs can be either permanent virtual circuits (PVCs) or switched virtual circuits (SVCs). 
PVCs are permanently established connections that are used when there is frequent and 
consistent data transfer between DTE devices across a Frame Relay network. 


Based on specifications from ANSI T1.617, ITU-T Q.933 (Layer 3), and Q.922 (Layer 2), 
Frame Relay now supports SVCs. SVCs are temporary connections used when there is only 
sporadic data transfer between DTE devices across a Frame Relay network. Because they are 
temporary, SVC connections require call setup and termination for each connection. Cisco IOS 
Software Release 11.2 and later support Frame Relay SVCs. You must determine whether your 
carrier supports SVCs before implementing them. 


Note Frame Relay SVCs are not covered in this course. 


Data-Link Connection Identifier 


Frame Relay uses a DLCI to identify the logical VC between the CPE and the Frame Relay 
switch. The Frame Relay switch maps the DLCIs between each pair of routers to create a PVC. 
DLCIs have local significance because the identifier references the point between the local 
router and the Frame Relay switch to which it is connected. Although some Frame Relay 
service providers use globally significant DLCIs, this is not the norm. Your Frame Relay 
provider sets up the DLCI numbers to be used by the routers for establishing PVCs. 


Some Frame Relay providers allow their customers to choose their DLCI numbers, within a 
specific range, usually between 16 and 1007. DLCIs 0 through 15, and DLCIs 1008 through 
1023 are reserved for special purposes: DLCI 1019 and DLCI 1020 are reserved for multicasts, 
DLCI 1023 is reserved for Cisco LMI, and DLCI 0 is reserved for ANSI and Q933A LMI 


types. 


DLCI-to-Address Mappings 


To pass data over the Frame Relay circuit, you must associate each local DLCI with a 
destination address. This association, or mapping, tells the router which DLCI to use when 
packets are destined for the remote address. For example, referring to the figure, an 
administrator would map the IP address of the destination Frame Relay interface (10.1.1.1) to 
DLCI 500, which is the PVC to that remote router. Any routes that point to 10.1.1.1 as the 
next-hop IP address will use this mapping that the PVC identified as DLCI 500, and forward 
packets to the remote site. 


On Cisco routers, the address mapping can be either configured manually or dynamically 
assigned. With dynamic address mapping, Frame Relay Inverse Address Resolution Protocol 
(Inverse ARP) is used to dynamically discover the protocol address of the remote device 
associated with a given PVC. During initial link establishment, the router sends an Inverse ARP 
packet out each active DLCI and requests the next-hop protocol addresses from the device at 
the other end of the connection. The remote device responds with the protocol addresses 
associated with that PVC. The router then updates its mapping table and uses the information to 
forward packets on the correct route. 


When packets are sent across the network, the intermediate switches look up the DLCI in the 
map table and perform the following 
m= Ifthe DLCI is defined on the link, the switch forwards packets toward their destination. 


= Ifthe DLCI is not defined on the link, the switch discards the frame. 
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Frame Relay Signaling 


This topic describes the function of the Local Management Interface (LMI) and how it 
operates. Routers and Frame Relay switches communicate using an LMI signaling standard. 


Frame Relay Signaling 


| 400=Inactive OLCFS500 


Central = pLci=400 


Cisco supports three LMI standards: 
» ANSI 11.617 Annex D 

¢ ITU-T Q.933 Annex A 

° Cisco 
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Local Management Interface 


LMI is a signaling standard between the CPE device and the Frame Relay switch that is 
responsible for managing the connection and maintaining status between the devices. LMI 
supports the following items: 


m= A keepalive mechanism, which verifies that data is flowing 
m= A multicast mechanism, which provides the DTE with its local DLCI 


= Multicast addressing, which gives DLCIs global rather than local significance in Frame 
Relay networks 


m A status mechanism, which provides an ongoing status on the DLCIs known to the switch 


Although LMI is configurable, beginning in Cisco IOS software Release 11.2, the Cisco router 
attempts to autosense the LMI type that the Frame Relay switch is using by sending one or 
more full status requests to the Frame Relay switch. The Frame Relay switch responds with one 
or more LMI types. The router configures itself with the last LMI type received. 


Cisco routers support three LMI types: 


m™ Cisco: Cisco LMI type defined jointly by the “Gang of Four” (Cisco, StrataCom, Northern 
Telecom, and Digital Equipment Corporation) 

m ANSI: ANSI T1.617 Annex D 

m Q933a: ITU-T Q.933 Annex A 
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If LMI autosensing does not take place, then the administrator setting up a connection to a 
Frame Relay network must choose the appropriate LMI from the three supported types to 
ensure proper Frame Relay operation. 


When an Inverse ARP request is made, the router updates its map table with one of three 
possible PVC connection states: 
= Active state: Indicates that the connection is active and that routers can exchange data 


m Inactive state: Indicates that the local connection to the Frame Relay switch is working, 
but the remote router connection to the Frame Relay switch is not working 


m™ Deleted state: Indicates that no LMI is being received from the Frame Relay switch, the 
DLCI has been removed from the Frame Relay switch, or there is no service between the 
CPE router and Frame Relay switch 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
a | 


* Frame Relay is a standard that defines the process 
for sending data over a public data network. 


* Frame Relay connections operate over virtual 
circuits. 


* LMI is a signaling standard between the CPE 
device and the Frame Relay switch that is 
responsible for managing the connection and 
maintaining status between the devices. 
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Quiz 
Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 
Ql) — The connection between the customer site and the service provider network is known 
as the 


A) Network-to-Network Interface 


B) user-network interface 
C) serial interface 
D) network to user interface 


Q2) Frame Relay provides connections between sites using a VC that is identified by its 


A) IP address 

B) network address 
C) DLCI 

D) PVC 


Q3) | Which DLCI does the Frame Relay LMI type “Cisco” use for communication? 


A) 15 
B) 1023 
Cc) 0 

D) ~=—-:16 
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Quiz Answer Key 


Ql) B 

Relates to: Frame Relay Overview 
02) --€ 

Relates to: Frame Relay Operation 
Q3)  B 


Relates to: Frame Relay Signaling 
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Configuring Frame Relay 


Overview 


This lesson illustrates how to configure Frame Relay on a serial interface. 


Relevance 


It is important to know how to configure a Frame Relay connection because it is the most 
popular WAN connectivity solution. This lesson covers the concepts and commands for 
configuring Frame Relay. 


Objectives 
Upon completing this lesson, you will be able to: 
m List the steps and commands that are required to configure a basic Frame Relay connection 
m= Explain how DLCI numbers are dynamically mapped to IP addresses 
m Describe how DLCI numbers are statically mapped to IP addresses 
m Identify the significance of DLCI numbers 
m Explain the function of a hub-and-spoke topology 
m= List the commands that are required to configure a hub-and-spoke topology 


m Explain why static DLCI maps should be configured to reach the hub site and the other 
spoke sites 


= Configure a Frame Relay map 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m= All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Jnterconnecting Cisco Network Devices (ICND) course 


Outline 


8-14 


This lesson includes these topics: 


Overview 

Configuration of Basic Frame Relay 
Dynamic Address Mapping 
Configuration of Static Address Mapping 
Different DLCIs at the Remote Routers 
Hub-and-Spoke Topology 

Spoke Router 

Summary 


Quiz 
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Configuration of Basic Frame Relay 


This topic describes the steps and commands that are required to configure a basic Frame Relay 
connection. 


Configuring Basic Frame Relay 


Frame Relay Network 


central recat interface Serial0 
central ) Hip an 10.16.0.1 vac hgaaeaa 
GaAwan Iomaie irs Seccgenonan atenaamine 


branch (config) #interface Seriall 


branch (config-if) #ip address. Canin ornmiaaal 
branch (config di yada tion frame-relay 


There are five steps required to configure a basic Frame Relay connection: 
Step 1 Select the interface and enter interface configuration mode. 
Step 2 Configure a network-layer address, for example, an IP address. 


Step 3 Select the encapsulation type used to encapsulate data traffic end-to-end using the 
following command: 


encapsulation frame-relay [cisco | ietf] 


The default argument is cisco. It is the recommended setting if connecting to another Cisco 
router. Select ietf if connecting to a router from another vendor. 


Step 4 If using Cisco IOS Software Release 11.1 or earlier, specify the LMI type used by 
the Frame Relay switch using this command: 


frame-relay lmi-type {ansi | cisco | q933a} 


With Cisco IOS Software Release 11.2 or later, the LMI type is autosensed and manual 
configuration is required. Otherwise, the customer can obtain the LMI type from their Frame 
Relay service provider and manually configure it. The default LMI type is cisco. 


Step 5 Configure address mapping. 
On Cisco routers, the address mapping of a local DLCI to a remote IP address can be 


configured manually with static address mapping, or with dynamic address mapping. In the 
above example, the address mapping is dynamic. 
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Dynamic Address Mapping 


This topic describes how DLCI numbers are dynamically mapped to IP addresses. The DLCI to 
IP address mapping can be done dynamically or statically. 


Dynamic Address Mapping 


1-ARP Request 


-ARP Response 
Branch A 
10.16.02 


Central 


a ae DLCI=500 


Inverse ARP or 
Frame Relay Map 


IP 
10.16.0.2 


central (config) #interface Serial 


tral (config-if) #ip address 10.16.0.1 255,255.255. 
partiee tll g eda . -pinssch aoee : 


BCRAN v2.1-8-3 


If you use dynamic address mapping, Frame Relay Inverse ARP dynamically associates a given 
DLCI with the next-hop protocol addresses for that connection. The router then updates its 
mapping table and uses the information in the table to route outgoing traffic to the appropriate 
PVC. Frame Relay Inverse ARP, and therefore dynamic addressing, is enabled by default for 
all protocols that are enabled on a physical interface. No additional commands are necessary. 


If Inverse ARP has been previously disabled on a Frame Relay interface, it can be reenabled 
using the frame-relay inverse-arp command in interface configuration mode. 


Note LMI must be functioning on an interface to use Frame Relay Inverse ARP because LMI is 
used to determine the PVCs to map. 


8-16 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright #: 2004, Cisco Systems, Inc. 


Configuration of Static Address Mapping 


This topic describes how DLCI numbers are statically mapped to IP addresses. The DLCI to IP 
address mapping can be done dynamically or statically. 


Configuring Static Address Mapping 


OLCI to Branch A = 110 
DOLCI to Branch B = 120 (Vendor XZ) 


a “%. 
Centra 


10.16.0.1/24 


10.16,0,3/24 


central (config) #anterface Serialo 
central (config-if) #ip address 10.16.0.1 255.255.255.0 


central soni Bel fencapsulaticn pip 10-3692 
contra: ar ae ie ie fo: A828 
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Whether the mapping of a DLCI to a remote IP address happens dynamically or statically, the 
DLCTI that is used does not have to be the same number at both ends of the PVC. 


If you use static address mapping, you must use the frame-relay map command to statistically 
map destination network protocol addresses to a designated DLCI. In this figure, the central site 
router is configured with static maps to both branch routers, Branch A and Branch B. 


The static address mapping command syntax is as follows: 


frame-relay map protocol protocol-address dlici [broadcast] 
[iet£ | cisco] 
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The following table describes the frame-relay map command syntax. 


frame-relay map Command 


Command Description 

protocol Selects the protocol type. Commonly used protocols are disw, ip, 
and ipx. 

protocol-address Specifies the destination protocol address. 

dici Specifies the DLCI number used to connect to the specified 


protocol address on the interface. 


broadcast (Optional) Specifies that broadcasts should be forwarded when 
multicast is not enabled. 


ietf (Optional) Enables the Internet Engineering Task Force (IETF) 
encapsulation. 


cisco (Optional) Enables the Cisco encapsulation. 


8-18 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright # 2004, Cisco Systems, Inc. 


Different DLCls at the Remote Routers 


This topic describes the significance of DLCI numbers. DLCI numbers are locally significant 
only and do not have to be the same at each end of the PVC. 


Different DLCls at the Remote Routers 


DLC! 500 


Branch A 
10.4.1.4 
Central 


Branch B 
° The different remote routers can use the same or 
different DLCIs when accessing the same PVC. 


e DLCI numbers are local between the customer and 
the Frame Relay switch. 


Whether the mapping of a DLCI to a remote IP address happens dynamically or statically, the 
DLCI that is used does not have to be the same number at both ends of the PVC. In this 
example, the central router is using DLCI 500 and the Branch A router is using DLCI 100. 
Each router is communicating with the other router using a different DLCI over the same PVC. 


Locally significant DLCIs mean that the DLCI number has meaning between the individual 
customer and the Frame Relay switch only. Different customers may use the same DLCI 
number to communicate with different switches within the same Frame Relay network. 


Although not a requirement, Frame Relay providers usually assign the same DLCI number to 
VCs that connect to a common site. For example, all remote sites that have a Frame Relay 
connection to the headquarters site may be assigned DLCI 100 for this hub connection. 
Network topology diagrams often display this common DLCI assignment at the hub location. 
This DLCI assignment represents the DLCI that remote devices use to connect to that site, even 
though the DLCI value is actually assigned to each of the remote locations and not to the hub. 
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Hub-and-Spoke Topology 


This topic describes the function of a hub-and-spoke topology and the commands that are 
required to configure it. Frame Relay is most commonly configured in a hub-and-spoke 
topology. 


Hub-and-Spoke Topology 


Hub Spoke 
Router Router 


DLC! 110 PVC  DLCI210 


10.16.0.1/24 . 10,16.0.2/24 
DLC! 120 


DLCI to Branch=110 
DLCI to Non-Cisco=120 10,16.0.3/24 


central (config) #interftace Serialo 

central (config-if) #ip address 10.16.0.1 255.255.255.0 
central (config-if) #encapsulation frame-relay 

central (config-if) #bandwidth 56 

| central (config-if) ‘#trane- relay 1 map ip 10.16. 9,2 120 beoadoast 
central ( . (config-if) #frane #frame-relay janes AOE, 3 120d 


The topology shown is known as a Frame Relay hub-and-spoke topology. The central site is 
acting as the hub and the Branch A and Branch B routers are acting as the spokes. Each of the 
spoke routers is connected only to the hub. When two spoke routers need to communicate with 
each other, the traffic is sent via the hub router. The advantage to this type of topology is that 
there does not have to be a full mesh of PVCs between all routers. This will provide a cost 
savings on the number of PVCs needed. 


The configurations for the hub-and-spoke routers in the example would be as follows: 


central (config) #interface seriall 

central (config-if)#ip address 10.16.0.1 255.255.255.0 

central (config-if) #encapsulation frame-relay 
centralA(config-if)#frame-relay map ip 10.16.0.2 110 broadcast 
centralA(config-if)#frame-relay map ip 10.16.0.3 120 broadcast ietf 


branchaA (config) #interface serial0 

branchA(config-if)#ip address 10.16.0.2 255.255.255.0 
branchA (config-if) #encapsulation frame-relay 

branchA (config-if)#frame-relay map ip 10.16.0.1 210 broadcast 
branchA (config-if)#frame-relay map ip 10.16.0.3 210 broadcast 
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branchB (config) #interface serial0 

branchB (config-if)#ip address 10.16.0.3 255.255.255.0 

branchB (config-if) #encapsulation frame-relay 

branchB (config-if)#frame-relay map ip 10.16.0.1 220 broadcast ietf 
branchB (config-if)#frame-relay map ip 10.16.0.2 220 broadcast ietf 
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Spoke Router 


This topic describes how static DLCI maps should be configured to reach the hub site and the 
other spoke sites. Static DLCI maps are configured with the frame-relay map command. 


Spoke Router 


Spoke 


Router 


DLC! 210 


ee oe ee 


CLL. Granch 


DLCi 220 
10,16.0.424 


branchaA (config) #interface Seriaid 
branchaA (config-if) fap adetress 10.16.0.2 255.255.255.0 
branchaA (conrig-if) fencapsulation frame-relay 


brancha (config if) #bandwadth 56 
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In this example, both branch routers are using static mapping to communicate with the central 
office (CO) router and the other branch office router. Notice that the branch routers use the 
same DLCI to communicate with both the CO and the other branch office router. The only 
difference is the remote IP address. 


The branch routers can be configured using Inverse ARP to the central site and a static map to 
the other branch office, both using the same DLCI. This arrangement works until the branch 
office router is rebooted. After the router reboots, the static map disables Inverse ARP for that 
DLCI. This situation means that the branch router will not be able to reach either the central 
site or the other branch office. Because there is no dynamic mapping to the central site, there is 
no way to reach the other branch office via the hub router, even though a static map is 
configured. When configuring the branch office routers, static map addresses should be used to 
reach both the central site and the other branch router, as shown in the example. 


Note None of these example configurations take into account the routing updates and split- 
horizon issues with distance-vector routing protocols. This will be discussed further along in 
this module. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
eran SONU P| 


° There are five steps required to configure a basic 
Frame Relay connection. 


¢ The DLCI to IP Address mapping can be done 
dynamically or statically. 


* Locally significant DLCls have meaning between 
the customer and the Frame Relay switch only. 


* Frame Relay is commonly configured ina 
hub-and-spoke topology. 


* Static DLCI maps are configured with the 
frame-relay map command. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


Q6) 


Which Frame Relay LMI type is the default on Cisco routers? 


A) ANSI 
B) IETF 
C) Cisco 
D) Q.933I1 


Which function does Inverse ARP perform? 

A) multicast support 

B) periodic keepalive transmission 

C) static mappings of DLCIs to local Layer 3 addresses 

D) dynamic mappings of DLCIs to remote Layer 3 addresses 

The frame-relay map command is used to create a static map between an IP address 
and a DLCI. 

A) true 

B) false 

Locally significant DLCIs mean that the DLCI number has meaning between the 
individual customer and the Frame Relay switch only. 

A) true 

B) false 


What is an advantage of designing a hub-and-spoke Frame Relay network? 
A) full redundancy 

B) requires subinterfaces 

C) cost effective 

D) partial redundancy 


Which type of encapsulation should be used when connecting equipment from another 
vendor to a Cisco Frame Relay network? 


A) Cisco 
B) IETF 
C) ANSI 
D) Q.933A 
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Quiz Answer Key 


Ql) ic 

Relates to: Configuration of Basic Frame Relay 
Q2) D 

Relates to: Dynamic Address Mapping 
Q3) A 

Relates to: Configuration of Static Address Mapping 
04) A 

Relates to: Different DLCls at the Remote Routers 
Q5) = C¢ 

Relates to: Hub-and-Spoke Topology 
Q6) B 


Relates to: Spoke Router 
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Verifying Frame Relay 
Configuration 


Overview 


This lesson highlights Cisco IOS commands that help verify proper Frame Relay configuration. 


Relevance 


Implementing and troubleshooting Frame Relay is a necessary skill for network engineers. This 
lesson provides an overview of various commands to verify Frame Relay connectivity. 


Objectives 
Upon completing this lesson, you will be able to: 


m= List commands that are useful when implementing and troubleshooting a Frame Relay 
connection 


m Identify key fields for each command 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 
This lesson includes these topics: 
m Overview 
m Verification of Frame Relay Operation 
= Summary 


B Quiz 


Verification of Frame Relay Operation 


This topic describes the Frame Relay monitoring commands and highlights key fields for each 
command. Various commands are required to monitor and troubleshoot a Frame Relay 
connection. 


Verifying Frame Relay Operation 


centroltohow interface seriald 
i 


Harcware aé HDtdu7) 
Internet address ais 10.16.9.1/24 
b BW 535 Fou t OLY ZUUCU usec, wely gou/do5, load liso 
AME-RELAY. loophack not set. keapalive nat (10 sec) 


Lk eng sent prong gba pte gemma OTR LAT up 
IMT Stat sont C 
r ‘tyme - KAT Annex | 


Becedeask queus ved, er weet fdoopped 20/0, intwrfwce beowdcusty 0 
Laat input 30°C9°0?, outper €9:00:03, omtpet hang reer 
Last clearing of “show antertace" counters never 
Queneing atrategy: fifo 
<Qctpet Umitted> 


* Displays line, protocol, DLCI, and LMI information 
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After you configure Frame Relay, you can verify that the connections are active using the 
available show commands. The show interface command displays information regarding the 
encapsulation and Layer 1 and Layer 2 status. It also displays Frame Relay LMI information 
for the interface, including the number of LMI messages exchanged, LMI type, and the DLCI 
that is used by LMI. 
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Verifying Frame Relay Operation ont) 


output pkts 25 in bytes 8339 
out Bytes 5046 dropped pete 0 in FROW pkos © 
in BRON pkts ¢ oct PECW pkte © oot REOK pete © 
io DE pkte 9 Out DE pkte 0 
out heast pkeos 14 out haast bytes 2648 
pre create time C0:16€:33, last time pve status changed 00:12:51 

nentralt 


* Displays PVC traffic statistics 
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The show frame-relay pve command displays the status of each configured connection as well 
as traffic statistics. This command is also useful for viewing the number of backward explicit 
congestion notification (BECN) and forward explicit congestion notification (FECN) packets 
received by the router. The PVC STATUS can be active, inactive, or deleted. 


If you enter the show frame-relay pve command without any additional arguments, you will 
see the status of all the PVCs configured on the router. If you specify the PVC, you will see the 
status for that PVC only. In the figure, the show frame-relay pve 110 command displays the 
status of PVC 110 only. 
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Verifying Frame Relay Operation OnE) 


“Beria10 “tp? | _ > 10.26-0. dat diocoxcz, Ox18E0}, static, 
broascast 
CISCO, status defined, ackive 

Seraal0 {uph: ip 10.16.0.3 dica 12010273, 0x1080) |, dynanic, 


broedecast,, status defined, active — 


centeald 


¢ Displays the route maps, either statistic or dynamic. 


e In this example DLCI 110 was configured statistically 
while DLCI 120 was learned dynamically. 


Use the show frame-relay map command to display the current DLCI protocol address map 
entries and information about the connections. 


The show frame-relay map command will display various information including the remote 
protocol address, the DLCI number, dynamic or static address mapping, and the state of the 
PVC. 


In the example, DLCI 120 on interface Serial0 maps to remote IP address 10.16.0.3; the 
mapping was dynamically discovered using Inverse ARP. 


8-30 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright #: 2004, Cisco Systems, Inc. 


Verifying Frame Relay Operation ont) 


LMI Statistics for interface Seriald | 

Invalid Unnumbered info © Invalid Prot Dise 0 
Invalid dummy Call Ref © Invalid Msq Tyre © 
Invalid Status Message © Invalid Lock Shift 0 
ITeavelad Information ID © Imvelid Reppert IE Len 0 
ITavalid Report Bequest © Invalid Keep [IE Len 0 
Hum Status Eng. 3s 2100 Num 3 weve Li 
Num Update Status Revd © Num Status Timecute J 
central# 


* Displays LMI information 
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The show frame-relay Imi command displays LMI traffic statistics. For example, the 
command shows the number of status messages exchanged between the local router and the 
Frame Relay switch, including the number of invalid LMI packets by type. 
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8-32 


Verifying Frame Relay Operation OnE) 


‘Serial3/1 (in): atatus, myseq 214 

RT IE 1, length 1, type 0 

KA IB 3, length 2, yourseq 214, =syseq 214 

EVC IE Ox? , length 0x6 , dlei 130, status 0x2 , bw 0 
Serial3/1 (ont): EtEng, myseq 215, yourspon 214, OTE wm 
datagramstart = 5«1959DFd, datagrameize = 12 

PR encap = OxPCrLOSO9 

96 75 01 61 O01 339 OF DBT PE 


Serial3/i(in): Status, myseq 215 

RI 1B 1, length 1, type i 

RA IE 3, length 2, yourseg 215, myseqg 215 
Serial3/l{(ont): StEng, myseq 216, yourspen 215, DIE uw 
datagramstart = Ox1S59DF4, datagrameise = i} 

FR encap = OxFCFLO309 

oo 75 01 01 O1 03 O? na D7 


¢ Displays LMI debug information 


BCRAN v2.18-6 


The debug frame-relay Imi command allows you to verify and troubleshoot the Frame Relay 
connection. 


The “(out)” status field is an LMI status inquiry sent by the router. The “(in)” status is a reply 
by the Frame Relay switch. 


The “type 1” field is a keepalive message sent by the router to the Frame Relay switch 
approximately every 10 seconds. The purpose of the keepalive message is to verify that the 
Frame Relay switch is still active. 


The “type 0” field represents a full LMI status message sent every 60 seconds. The “dlci 130, 
status 0x2” field indicates that the status of DLCI 130 is active. The most common values of the 
status field are as follows: 


m 0x0: Added/inactive. The switch has this DLCI programmed but for some reason (such as 
the other end of this PVC is down) it is not usable. 


m 0x2: Added/active. The Frame Relay switch has the DLCI and everything is operational. 
You can start sending traffic with this DLCI in the header. 


m 0x4: Deleted. The Frame Relay switch does not have this DLCI programmed for the router. 
However, it was programmed at some point in the past. This could also be caused by the 
DLCIs being reversed on the router, or by the PVC being deleted by the telco in the Frame 
Relay cloud. 
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Verifying Frame Relay Operation ont) 


centraltshow frame map 
Seriald (up): ap 10.16.0.2 dlez 110 (OxGE,0x1920), dynamic, 


broadcast,, status defined, active 
Seriald (up): ip 10.16.0.3 dlci 120(0x78,0x1090), dynamic, 
broadccast,, status defined, active 


central# 

contral#olear frame-relay-inarp 
centzal#tshew fxame-xelay map 
central+# 


* Clears dynamically created Frame Relay maps 


¢ Disables Inverse ARP 


To clear dynamically created Frame Relay maps, which are created by the use of Inverse ARP, 
use the clear frame-relay-inarp privileged EXEC command. This command disables Inverse 
ARP for the router. 


Note Do not use this command in a production network. Doing so will cause user traffic to be 
stopped because of the lack of a Layer 2 DLCI mapped to a Layer 3 protocol address. To re- 
enable Inverse ARP, use the interface command frame-relay inverse-arp. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
TE ae we | 


° The show frame-relay pvc command displays the 
status of each configured connection, as well as 
traffic statistics. 


* The show frame-relay map command displays the 
DLCl-protocol address map entries, as well as 
information about the connection. 


* The show frame-relay Imi command displays LMI 
traffic statistics. 


* The debug frame-relay Imi command allows you to 
verify and troubleshoot the Frame Relay 
connection. 
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Quiz 
Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 
Ql) ~~ Which information from a show interfaces display indicates that your Frame Relay 
connection is operating correctly? 
A) Bandwidth is 128 kbps. 
B) Hardware is in syne mode. 
C) MTU size is 1500 bytes or more. 


D) LMI eng sent and stat recvd are non-zero. 
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Quiz Answer Key 
Ql) D 


Relates to: Verification of Frame Relay Operation 
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Configuring Frame Relay 
subinterfaces 


Overview 


This lesson provides a review of Frame Relay subinterfaces, and explains why and when you 
would use subinterfaces. 


Relevance 


A Frame Relay network can be connected in a star, full-mesh, or partial-mesh topology. 
Depending on the topology configured, there may be some reachability issues with routing 
updates because of the split horizon rule. Subinterfaces can be configured to resolve this issue. 


Objectives 


Upon completing this lesson, you will be able to: 


Explain the issues that can occur with routing protocols in a multipoint Frame Relay 
configuration 


Explain the issues that can occur with distance-vector routing protocols and the split 
horizon rule in a multipoint Frame Relay configuration 


Explain why it is not recommended to disable split horizon in a multipoint Frame Relay 
configuration 


Identify the reasons why subinterfaces can be used to help solve issues with distance-vector 
routing protocols and the split horizon rule in a multipoint Frame Relay configuration 


Describe how point-to-point subinterfaces can solve reachability issues 
Explain how multipoint subinterfaces can solve reachability issues 


List the steps and commands required to configure a subinterface on a basic Frame Relay 
connection 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the /ntroduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the /nterconnecting Cisco Network Devices (ICND) course 


Outline 


This lesson includes these topics: 

m Overview 

m Reachability Issues with Routing Updates 
= Resolution of Reachability Issues 

m= Subinterface Usages 

m™ Point-to-Point Subinterfaces 

= Multipoint Subinterfaces 

= Configuration of Subinterfaces 

m™ Subinterface Configuration Example 

= Summary 


= Quiz 
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Reachability Issues with Routing Updates 


This topic describes reachability issues with routing updates in a multipoint Frame Relay 
configuration. Multipoint Frame Relay connections are prone to reachability issues. 


Reachability Issues with 
Routing Updates 


Circuit #22 


Circuit #23 


¢ Broadcast traffic must be replicated for each active 
connection. 


There is a major issue with a router that supports multipoint connections over a single interface. 
Because many DLCIs terminate in a single router, that router must replicate routing updates 
and service advertising updates on each DLCI to the remote routers. The updates can consume 
access-link bandwidth and cause significant latency variations in user traffic. The updates can 
also consume interface buffers and lead to higher packet-rate loss for both the user data and 
routing updates. 


The amount of broadcast traffic and the number of VCs terminating at each router should be 
evaluated during the design phase of a Frame Relay network. Overhead traffic, such as routing 
updates, can impact the delivery of critical user data, especially when the delivery path contains 
low-bandwidth (56 kbps) links. 
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Resolution of Reachability Issues 


This topic describes the problems that are associated with disabling split horizon in a multipoint 
Frame Relay configuration. Disabling split horizon could be used to resolve distance-vector 
protocols and split horizon rule reachability issues. 


Resolving Reachability Issues 
re S| 


Physical Subnet A 
Logical Interface interface 


$0.1 So Subnet B 
$0.2 
$0.3 

Subnet C 


° Split horizon can cause problems in NBMA 
environments. 


* A single physical interface simulates multiple 
logical interfaces. 


¢ Subinterfaces can resolve split horizon issues. 


BCRAN v2.18-3 


The simplest answer to resolving the reachability issues brought on by split horizon may seem 
to be to turn off split horizon. Two problems exist with this solution. First, only IP allows you 
to disable split horizon. Second, disabling split horizon increases the chances of routing loops 
in your network. 


Note Split horizon is disabled by default for the IP protocol on Frame Relay interfaces. Enhanced 
Interior Gateway Routing Protocol (EIGRP) is an exception. EIGRP requires IP split horizon 
to be manually disabled. 
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Subinterface Usages 


This topic describes subinterfaces to help solve issues with distance-vector routing protocols 
and the split horizon rule in a multipoint Frame Relay configuration. Subinterfaces are logical 
subdivisions of a physical interface. 


Subinterface Usages 


Branch A 


80.1=51 
30,2=52 
DLC! 52 80.3=53 


Branch C 


DLCI 53 


¢ Point-to-point subinterfaces can be used to solve 
split horizon issues. 


Cisco Systems, Inc. All rights reserved, 


To enable the forwarding of broadcast routing updates in a Frame Relay network, you can 
configure the router with logically assigned interfaces called subinterfaces. Subinterfaces are 
logical subdivisions of a physical interface. 

You can configure subinterfaces to support these connection types: 

m™ Point-to-point 


= Multipoint 
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Point-to-Point Subinterfaces 


This topic describes how point-to-point subinterfaces can solve reachability issues in a Frame 
Relay configuration. Subinterfaces can be configured either as point-to-point or multipoint. 


Point-to-Point Subinterfaces 


ee on ee) 


Subinterfaces 


Each subinterface is ona 

separate network or subnet 
with @ single remote router 
at the other end of the PVC, 


¢ Split horizon is not an issue with point-to-point 
subinterfaces. 


BCRAN v2.1—8-5 


In point-to-point subinterface configurations, a single subinterface is used to establish one PVC 
connection to another physical or subinterface on a remote router. In this case, the subinterfaces 
would be in the same subnet and each subinterface would have a single DLCI. Each point-to- 
point connection is its own subnet. 


In split horizon routing environments, routing updates received on one point-to-point 
subinterface can be sent out another point-to-point subinterface. Each VC can be configured as 
a point-to-point connection, which allows the subinterface to act like a leased line. This is 
because each point-to-point subinterface is treated as a separate physical interface. 
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Multipoint Subinterfaces 


This topic describes how multipoint subinterfaces can solve reachability issues in a Frame 
Relay configuration. 


Multipoint Subinterfaces 
es Sn eee 


Subinterfaces 


For each subimterface, 
there may be multiple 
remote router connections 
using multiple DLCls, 


__ 172.30.1.0/24 


¢. 
_ 172.30.2.0/24 


172.30.3.0/24 —_—____—— 
-—— "7 — — — — Interface Serial 


¢ Split horizon can be still be an issue with 
multipoint subinterfaces. 


In multipoint subinterface configurations, a single subinterface is used to establish multiple 
PVC connections to multiple physical or subinterfaces on remote routers. In this case, all the 
participating interfaces would be in the same subnet and each interface would have its own 
local DLCI. In this environment, because the subinterface is acting like a regular NBMA Frame 
Relay network, broadcast traffic is subject to the split horizon rule. 


Cisco routers can be configured to simultaneously support both point-to-point and multipoint 
subinterfaces. Each subinterface is configured as one or the other, not both. This permits a 
company to configure individual Frame Relay connections as needed, and to provide a more 
flexible transition from one configuration to another. 
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Configuration of Subinterfaces 


There are a total of six steps that are required to configure a subinterface on a basic Frame 
Relay connection. This topic describes the first four steps. 


Configuration of Subinterfaces 


¢ Point-to-point 
—Subinterfaces act as leased line 


—Each point-to-point connection requires its own 
subnet 


— Good for star or partial-mesh topologies 

¢ Multipoint 
—Subinterfaces act as default NBMA network 
—Can save subnets because uses single subnet 
— Good for full-mesh topology 


To configure subinterfaces on a physical interface, perform these steps: 


Step 1 Select the interface upon which you want to create subinterfaces, and enter the 
interface configuration mode. 


Step 2 Remove any network-layer address assigned to the physical interface. If the physical 
interface has an address, frames will not be received by the local subinterfaces. 


Step 3 Configure Frame Relay encapsulation, as discussed in the Configuring Frame Relay 
lesson in this module. 


Step 4 Select the subinterface you want to configure, as follows: 


interface serial number.subinterface-number {multipoint | 
point-to-point} 
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The following table lists the command and parameters to use when setting up a subinterface on 
a serial link. 


interface serial Command Parameters 


Command 


Description 


Subinterface number. The interface number that precedes the 
period (.) must match the interface number to which this 
subinterface belongs. The number of subinterfaces possible 
on one interface is interface description block (IDB)- 
dependent. The IDB is a set of data structures that provide 
hardware and software views of network interfaces. 


subinterface-number 


Select if you want the router to forward the broadcasts and 
routing updates that it receives. Select this option if you are 
routing IP and you want all routers in the same subnet. 


multipoint 


Select if you do not want the router to forward broadcasts or 
routing updates and if you want each pair of point-to-point 
routers to have its own subnet. 


point-to-point 
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Subinterface Configuration Example 


This topic describes the last two steps and commands that are required to configure a 
subinterface on a basic Frame Relay connection. 


Subinterface Configuration aoe 


10.17.0.4 
50.2-DLCF110 PYC 


10.18.0.1 
£6.5-DLC1=126 


cantral (config) #<Outpet Omitted 

central (config-if) #interface Seriald 

eentrsl (cormfig-ifttine ip sddecese 

central (conftac-if) Rencapsulavion fram-zelay 
‘ 


central (config) #interface Serial0.110 point-to-point 


CONT al (aentig- muha tj) eaenoriprion FYC ta Rranonhsx 
central (confic-subif) ip address 10.57.0.1 255.258.255.9 


central (config-subitl) @frame-relay interface-—dici 110 


' 

gentrai (config) #interface Seriald.120 point-to-point 
cantral (confic-subif)@description PYC to BranchY 
tentral (confic-subif)@#ip address 10.13.01 255.255.2559 


conteal foontag-subit) dtrscte—celay antertase-dies 120 
' 


<Gutaut. Gm tred> 


BCRAN v2.1-8-8 


Step 5 Configure a network-layer address on the subinterface. If the subinterface is point- 
to-point and you are using IP, you can configure an unnumbered subinterface as 
follows: 


ip unnumbered interface 


The interface parameter specifies a router interface with an IP address assigned. The 
subinterface associates itself with this interface for address purposes. If you use this command, 
it is recommended that the interface be a loopback interface because the Frame Relay link will 
not work if this command is pointing to an interface that is not fully operational. The loopback 
interface is a stable interface that is accessible from all other interfaces. 


Step 6 If you configured the subinterface as point-to-point, you must configure the local 
DLCI for the subinterface to distinguish it from the physical interface as follows: 


frame-relay interface-dlci d/ci-number 


The dlci-number parameter defines the local DLCI number being linked to the subinterface. 
This is the only way to link an LMI-derived PVC to a subinterface, because LMI does not 
know about subinterfaces. 


This command is required for all point-to-point subinterfaces. It is also required for multipoint 
subinterfaces for which dynamic addressing is enabled through the use of Inverse ARP. It is not 
required for multipoint subinterfaces configured with static address mappings (those using the 
frame-relay map command). 
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Remember, within the Frame Relay network, the service provider handles the actual mapping 
of the DLCIs between the routers. 


Note If you defined a subinterface for point-to-point communication, you cannot reassign the same 
subinterface number to be used for multipoint communication without first rebooting the 
router. Instead, you can avoid using that subinterface number and use a different 


subinterface number. 


Copyright © 2004, Cisco Systems, Inc. Configuring Frame Relay with Traffic Shaping 8-47 


Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
EN, eee 


¢ Disabling split horizon should not be used to resolve 
distance-vector protocols and split horizon rule 
reachability issues. 


In point-to-point subinterface configurations, a single 
subinterface is used to establish one PVC connection 


to another physical connection or subinterface on a 
remote router. 


In multipoint subinterface configurations, a single 
subinterface is used to establish multiple PVC 
connections to multiple physical connection or 
subinterfaces on remote routers. 


There are six steps required to configure a subinterface 
on a basic Frame Relay connection. 


BCRAN v2.1-8-9 


8-48 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright #: 2004, Cisco Systems, Inc. 


Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


Q6) 


Turing off split horizon on an NBMA environment increases the chance of creating 
routing loops. 


A) true 
B) false 


What is the recommended solution to avoid split horizon issues? 


A) Do not use a distance-vector protocol over Frame Relay. 
B) Enable broadcast on the serial interface. 
C) Configure subinterfaces. 


D) Turn off split horizon. 


Which type of Frame Relay connection will eliminate broadcast and split horizon 


issues? 
A) multipoint subinterface 
B) point-to-point subinterface 


C) multipoint 


D) point-to-point 


What must be configured on the hub router to allow one subnet to be used for all router 
interfaces participating in the Frame Relay circuit? 


A) multipoint subinterfaces 
B) point-to-point subinterfaces 
C) IP unnumbered with multipoint subinterfaces 


To configure Frame Relay subinterfaces, you must specify which parameter? 

A) ARP 

B) traffic rate 

C) map class 

D) traffic shaping 

E) multipoint or point-to-point 

The command frame-relay interface-dlci should be used only on subinterfaces. 
A) true 

B) false 
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Quiz Answer Key 


8-50 


Ql) 


Q3) 


Q4) 


Q5) 


Q6) 


A 


Relates to: 


Cc 


Relates to: 


B 


Relates to: 


A 


Relates to: 


E 


Relates to: 


A 


Relates to: 


Reachability Issues with Routing Updates 


Resolution of Reachability Issues 


Point-to-Point Subinterfaces 


Multipoint Subinterfaces 


Configuration of Subinterfaces 


Subinterface Configuration Example 
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Identifying Frame Relay Traffic 
Shaping Features 


Overview 


This lesson describes the Frame Relay traffic shaping (FRTS) features that are available in 
Cisco IOS software and explains why you use FRTS. 


Relevance 


A Frame Relay switch cannot determine which packets take precedence, and therefore which 
packets should be dropped when congestion occurs. Traffic shaping is also critical for real-time 
traffic such as Voice over Frame Relay (VoFR). Failure to do so can result in bottlenecks and 
packet loss. Traffic shaping controls the traffic going out an interface so that it can match its 
flow to the speed of the remote target interface, ensuring that the traffic conforms to policies for 
which it was contracted. 


Objectives 
Upon completing this lesson, you will be able to: 
m= List the strategies for implementing FRTS 
= Define the terminology associated with FRTS 
m Identify the purpose of FRTS 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m= All knowledge presented in the Jnterconnecting Cisco Network Devices (ICND) course 


Outline 


8-52 


This lesson includes these topics: 


Overview 
Frame Relay Traffic Flow Terminology 
Traffic Shaping Over Frame Relay 


Summary 


Quiz 
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Frame Relay Traffic Flow Terminology 


This topic describes the terminology that is associated with FRTS. Traffic shaping can address 
bottlenecks and packet loss from mismatched data rates between source and destination. 


Frame Relay Traffic Flow 
Terminology 


You should be familiar with some of the terminology that is related to Frame Relay traffic flow, 
as listed here: 


Local access rate: The clock speed (port speed) of the connection (local loop, access line, 
or access circuit) to the Frame Relay cloud. This is the rate at which data travels into or out 
of the network, regardless of other settings. 


Committed information rate (CIR): The rate, in bits per second, at which the Frame 
Relay switch agrees to transfer data. The rate is usually averaged over a period of time, 
referred to as the committed time window (Tc). 


Oversubscribe, oversubscription: Oversubscription occurs when the sum of the CIRs on 
all the VCs coming into a device exceeds the access line speed. Oversubscription also 
occurs when the access line supports the sum of the CIRs purchased, but not the sum of the 
CIRs plus the bursting capacities of the VCs. Oversubscription results in frames being 
dropped if the access line rate is exceeded. 


Committed burst (Bc): The maximum number of data (in bits) that the switch agrees to 
transfer during any Tc. For example, if the Tc is 125 milliseconds and the CIR is 32 kbps, 
the Bc is 64 kbps. (CIR=Bc/Tc) 


Excess burst (Be): The maximum number of uncommitted bits that the Frame Relay 
switch attempts to transfer beyond the CIR for the first time interval only. Be is dependent 
on the service offerings available by your vendor, but is typically limited to the port speed 
of the local access line. 


Copyright © 2004, Cisco Systems, Inc. Configuring Frame Relay with Traffic Shaping 8-53 


m FECN: When a Frame Relay switch is in congestion locally, it marks the FECN bit in the 
frame header, indicating that congestion has been encountered. Other switches in the path 
forward the frame, never resetting the FECN or BECN flag. 


m= BECN: When a Frame Relay switch is in congestion locally, it marks the BECN bit in the 
frame header, indicating that congestion has been encountered. With Cisco IOS Software 
Release 11.2 or later, Cisco routers can respond to BECN notifications. This topic is 
discussed in this lesson. 


= Discard eligible (DE) indicator: The DE bit is set on the oversubscribed traffic, that is, the 
traffic that was received after the CIR was met. Until the release of Cisco IOS Software 
Release 12.2(6), Cisco routers were not able to set the DE bit. 


Note These are generic Frame Relay terms. They may be the same or slightly different than the 
terms your Frame Relay service provider uses. 


Frame Relay Traffic Flow 
Terminology (Cont.) 


Discard frame 


DE=1 


Frame 2 Frame3  Frame4 


Time (T=Bc/CIR) 
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The CIR, by itself, does not provide much flexibility when dealing with varying traffic rates. In 
practice, the Frame Relay switch measures traffic over a time interval specific to each logical 
connection. 


The Be and Be are amounts of data that a Frame Relay network agrees to transfer over a time 
interval, Tc. Be is the maximum amount in excess of the Bc that the network attempts to 
transfer under normal conditions. The traffic that is beyond the Bc is marked with the DE bit 
set. 


Notice that the actual frame transfer rate parallels the access rate. When a frame is being 
transmitted on a channel, that channel is dedicated to that transmission. 
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Traffic Shaping Over Frame Relay 


This topic describes why FRTS is used. Traffic shaping is used to control access to available 
bandwidth and to regulate the flow of traffic to avoid congestion that can occur when the 
transmitted traffic exceeds the access speed of its remote target interface. 


Why Use Frame Relay Traffic eheping? 


64 kbps 


Branch Bottleneck 
Office 


Ineed to reduce 
the pace at which 
Isend packets. 


FRTS is used in these typical situations: 


m When you have a Frame Relay network topology that consists of a high-speed (T1 line 
speed) connection at the central site and low-speed (64-kbps) connections at the branch 
sites. Because of the speed mismatch, a bottleneck often exists for traffic on a VC when the 
central site tries to communicate with the branch site. This bottleneck results in poor 
response times for traffic such as Systems Network Architecture (SNA) or interactive 
Telnet when it is stuck behind a large FTP packet on the low-speed line. Packets get 
dropped or delayed at the bottleneck, resulting in lost SNA sessions and possibly causing 
the central site to retransmit unacknowledged packets, making the congestion problem 
worse. The rate enforcement capability in FRTS can be used to limit the rate at which data 
is sent on the VC at the central site. Rate enforcement can also be used in conjunction with 
the existing DLCI prioritization feature to further improve performance in this situation. 


m The VCs send traffic as fast as the physical line speed allows. This occurs when you have a 
Frame Relay network that is constructed with many VCs to different locations on a single 
physical line into the network. The rate enforcement capability of FRTS enables you to 
control the transmission speed used by the router by other criteria, such as the CIR or 
excess information rate (EIR). The rate enforcement feature preallocates the bandwidth that 
each VC receives on the physical line into the network, effectively creating a virtual 
statistical time-division multiplexing (TDM) network. 


Copyright © 2004, Cisco Systems, Inc. Configuring Frame Relay with Traffic Shaping 8-55 


Why Use Frame Relay Traffic Shaping? 
(Cont.) 


Frame Relay Cloud 


Branch Office Central Site - 
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m= Ifyou have noticed that your Frame Relay connections occasionally get congested, you 
may want the router to throttle traffic instead of sending it into the network. Throttling the 
traffic may help prevent packet loss in the network. The BECN-based throttling capability 
provided with FRTS allows you to have the router dynamically throttle traffic based on 
receiving BECN-tagged packets from the network. This throttling holds packets in the 
buffers of the router to reduce the data flow from the router into the Frame Relay network. 
The throttling is done on a per-VC basis, and the rate is dynamically increased as fewer 
BECNs are received. 


™ Quite often you may have several different types of traffic to transmit on the same Frame 
Relay VC, such as IP, SNA, or Internetwork Packet Exchange (IPX). You may want to 
ensure that each different traffic type receives a certain amount of bandwidth. Using 
custom queuing with the per-VC queuing and rate enforcement capabilities enables you to 
configure VCs to perform this task. Prior to Cisco IOS Software Release 11.2, custom 
queuing was defined at the interface level only. Today, custom queuing can be defined at 
the VC level. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
a ee 


e Local access rate is the clock speed of the connection 
to the Frame Relay cloud. 


¢ Committed information rate is the rate in which the 
Frame Relay switch agrees to transfer data. 


¢ Oversubscription occurs when the sum of the CIRs on 
all the virtual circuits coming into a device exceeds the 
access line speed. 


¢ Committed burst is the maximum number of bits that 
the switch agrees to transfer during any committed rate 
measurement interval. 


¢ Excess burst is the maximum number of uncommitted 
bits that the Frame Relay switch will attempt to transfer 
beyond the CIR for the first time interval only. 


Summary (Cont.) 


e When a Frame Relay switch is in congestion locally, it 
marks the FECN bit in the frame header towards the 
destination device indicating that congestion has been 
encountered. 


e When a Frame Relay switch is in congestion locally, it 
marks the BECN bit in the frame header indicating that 
congestion has been encountered. 


The DE bit is set on the oversubscribed traffic. 


Traffic shaping is used to control access to available 
bandwidth and to regulate the flow of traffic in order to 
avoid congestion that can occur when the transmitted 
traffic exceeds the access speed of its remote target 
interface. 


Copyright © 2004, Cisco Systems, Inc. Configuring Frame Relay with Traffic Shaping 


Quiz 
Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) When a Frame Relay switch recognizes congestion in the network, which bit field will 
the switch use to notify the destination that congestion was experienced in the 


network? 

A) DE 

B) FECN 
C) BECN 
D) CIR 


Q2) _ Traffic shaping is primarily used to 


A) direct traffic flow to particular networks 

B) break up data into smaller segments 

C) control traffic transmission speeds 

D) encapsulate data on Frame Relay connections 
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Quiz Answer Key 


Ql) B 
Relates to: Frame Relay Traffic Flow Terminology 
Q2) Cc 


Relates to: Traffic Shaping Over Frame Relay 
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Configuring Frame Relay 
Traffic Shaping 


Overview 


This lesson discusses Frame Relay traffic shaping (FRTS) configuration tasks. 


Relevance 


Traffic shaping controls the traffic leaving an interface to match its flow to the speed of the 
remote target interface. Traffic shaping also ensures that the traffic conforms to the policies for 
which it was contracted. For this reason, it is important to know how to configure FRTS. This 
lesson covers the concepts and commands for configuring FRTS. 


Objectives 
Upon completing this lesson, you will be able to: 
m= List the steps and commands that are required when configuring FRTS 
m= Manually configure FRTS 
m Describe Frame Relay rate enforcement with BECN support 


™ Configure Frame Relay rate enforcement with BECN support 


Learner Skills and Knowledge 
To fully benefit from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 


8-62 


This lesson includes these topics: 


Overview 

Step 1: Configuration of FRTS 

Step 2: Configuration of FRTS 

Steps 3-5: Configuration of FRTS 

Traffic-Shaping Rate Enforcement 

Traffic-Shaping Rate Enforcement Configuration Example 
Traffic-Shaping BECN Support Example 
Traffic-Shaping BECN Support Configuration Example 
Traffic-Shaping Example 

Verification of FRTS 

show traffic-shape Command 

show traffic-shape statistics Command 


Summary 


Quiz 
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Step 1: Configuration of FRTS 


There are five steps that are required to configure FRTS. This topic describes the commands 
that are required in the first step. 


Step 1: Configuration of FRTS 


Router (config)#map-class frame-relay map-class-name 


* Enters map class configuration mode so you can 
define a map class 


To enable FRTS, perform these steps: 


Step 1 Specify a map class name to be defined with the map-class frame-relay map-class- 
name command. 
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Step 2: Configuration of FRTS 


This topic describes the second step to configure FRTS, the specification of traffic-shaping bit 
rates (versus multiple commands to set individual rate parameters). 


Step 2: Configuration of FRTS 


Router (config-map-class)#frame-relay traffic-rate average [peak] 


° Defines the average and peak rates 


or 


Router (config-map-class)#frame-relay adaptive-shaping becn 


° Specifies that the router fluctuates the sending rate 
based on the BECNs received 


Step 2 Define the map class. When you define a map class for Frame Relay, you can use 
these options for traffic shaping: 


m™ Define the average and peak rates (in bits per second) allowed on virtual circuits 
associated with the map class. 


m Specify that the router dynamically changes the rate at which it sends packets, 
depending on the BECNs that it receives. 


m Specify either a custom queue list or a priority queue group to use on virtual 
circuits associated with the map class. 


Regarding the first option, define the average and peak rates if the data is being sent faster than 

the speed at which the destination is receiving. If you define the average and peak rates (in bits 

per second) allowed on VCs that are associated with the map class, use the frame-relay traffic- 
rate average [peak] command. 
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The command syntax is described in the following table: 


frame-relay traffic-rate Command Parameters 


Command Description 

average Average rate in bits per second; equivalent to specifying the 
contracted CIR. 

peak (Optional) Peak rate, in bits per second; equivalent to CIR + 


Be/Tc = CIR + EIR. 


Specify that the sending router adjust its transmission rate based on the BECNs received. To 
select BECN as the mechanism to which traffic shaping will adapt, use the frame-relay 
adaptive-shaping becn command. 


Note The frame-relay adaptive-shaping command replaces the frame-relay becn-response- 
enable command. 
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Step 2: Configuration of FRTS on 


or 


Router (config-map-class)#frame-relay custom-queue-list number 


¢ Specifies a custome queue list 


or 


Router (config-map-class)#frame-relay priority-group number 


° Specifies a priority group 


= (Optional) If you want to distinguish and control traffic flow, you must specify a queuing 
mechanism such as a custom queue list or a priority group. To specify a custom queue list, 
use the frame-relay custom-queue-list number command. To specify a priority queue list, 
use the frame-relay priority-group number command. The number is a required number 
assigned to the custom or priority queue list. The command syntax is described in the 
following table. 


frame-relay custom-queue-list and frame-relay priority-group Commands 


Command Description 


frame-relay custom-queue-list 
number 


Assigns a custom queue to VCs associated with the map class. 
Use this command when you want to guarantee a particular 
protocol or service. 


Use this command after you have defined a custom queue using 
the queue-list command. 


frame-relay priority-group 
number 


Assigns a priority queue to VCs that are associated with the map 
class. Use this command when you want to guarantee an absolute 
priority for a protocol or service. 


Use this command after defining the priority queue using priority- 
list command. 


Only one queuing mechanism may be associated with a map class. To change the queuing 
mechanism from a type other than the default (FIFO), the previous queuing mechanism must 
first be disabled using the no form of the command. 


Note Custom and priority queuing are not recommended methods of queuing. Low latency 
queuing (LLQ) and class-based weighted fair queuing (CBWFQ) have replaced them. 
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Steps 3-5: Configuration of FRTS 


This topic describes last three steps to configure FRTS. 


* Enables Frame Relay traffic shaping on an interface 


Step 3 


Step 4 


Step 5 


Note 


After you have defined a map class with queuing and traffic-shaping parameters, 
enter interface configuration mode and enable Frame Relay encapsulation on an 
interface with the encapsulation frame-relay command. 


Map a map class to all VCs on the interface with the frame-relay class map class- 
name command. The map class-name argument must match the map class-name of 
the map class that you configured. 


Enable FRTS shaping on an interface with the frame-relay traffic-shaping 
command. Enabling FRTS on an interface enables both traffic shaping and per-VC 
queuing on all the PVCs and SVCs on the interface. Traffic shaping enables the 
router to control the output rate of the circuit and react to congestion notification 
information, if that is also configured. 


You can map the map class to the interface or a specific subinterface on the interface. 


Subinterfaces inherit the class parameters mapped to the main interface, unless a specific 


class is applied to the subinterface. 
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Traffic-Shaping Rate Enforcement 


8-68 


Traffic shaping is used to implement rate enforcement. This topic describes a typical scenario 
where Frame Relay rate enforcement should be configured. 


Traffic-Shaping Rate Enforcement 


Frame Relay Cloud 


Branch Office 64 kbps 


Egress Point 


Central Site 


64 kbps 
Branch Office 


Step 3 : : Step 1 
& bottleneck occurs H The data passes through : Data is sant from the 
at the 64-kbps egress the Frame Relay cloud. central site router at Tt 
points. ’ speeds. 
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The figure illustrates a typical Frame Relay environment. The central site has a T1-speed local 
loop connection, and the branch offices have slower local loop connections, in this case 64 
kbps. In addition, the CIR for each PVC going from the central site to each branch office is 64 
kbps. In this environment, the following process occurs: 


1. The central site may send data across the T1-speed line. Even though the CIR is 64 kbps, 
the router continues to send the data based on the T1 rate. 


2. The data goes through the cloud. 


3. When the data reaches the local loop that is connected to the branch office, a bottleneck 
occurs because the data is being sent faster than the speed of the branch office local loop. 
At this point packets are buffered at the egress point of the network, which increases line 
response time and can cause problems, particularly for latency-sensitive protocols such as 
SNA. 


The solution to this bottleneck is to slow the speed at which the central site router is sending 
data. With FRTS, you can define and enforce a rate on the VC at which the router will send 
data. The pace you set can be the CIR, EIR, or some other value. 
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Traffic-Shaping Rate Enforcement Configuration 


Example 


This topic describes how to manually configure Frame Relay rate enforcement. 


Configuring Traffic-Shaping Rate 
Enforcement Example 


Frame Relay Cloud 


Branch Office 


64 kb 


CR 64 4, : 


Egress Point 


64 kbps 


Branch Office 


central (config) #interface Serial2 


central (config-if)#no ip address 

central (config-if) #@encapsulation frame-relay 
ntral (config-if)#frame-relay traffic—shaping 

central (config-if)#frame-relay class branch 

' 


central (config) #map-class frame-relay branch 
central (config-map~class) §frame-relay traffic-rate 32000 64900 


Perform these steps to configure FRTS rate enforcement: 


Step 1 


Step 2 


Define a map class and enter map class configuration mode, as follows: 
map-class frame-relay map-class-name 
Define the rate enforcement parameters to use, as follows: 


[no] frame-relay traffic-rate average [peak] 


m™ average is the “average rate” (equivalent to setting CIR). 


m peak is the “peak rate” 
(equivalent to CIR + Be/Tc = CIR(1 + Be/Bc) = CIR + EIR). 


If the peak value is not configured, the peak rate will default to the average 
value configured. 


For SVCs, the configured peak and average rates are converted to the equivalent 
CIR, Be, and Bc values for use by SVC signaling. 


m The frame-relay traffic-rate command configures all of the traffic-shaping 
characteristics of a VC (CIR, Bc, Be) in a single command. It is much simpler 
than setting each parameter individually in the map class, but it does not provide 
the additional granularity. Only one command format—either traffic rate or 
setting individual values for CIR, Be, or Bc—will be accepted in one map class. 
The user is warned when entering a second command type that the previous 
traffic rate is being overwritten. 
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Step 3 


Step 4 


Step 5 


Enable both traffic shaping and per-VC queuing for all VCs (PVCs and SVCs) ona 
Frame Relay interface, as follows: 


frame-relay traffic-shaping 


For VCs where no specific traffic-shaping or queuing parameters are specified, the 
values are inherited from the parent interface; otherwise, a default set of values is 
used. 


Associate a map class with an interface or subinterface, as follows: 


frame-relay class name 


Each VC created on the interface or subinterface inherits all of the relevant 
parameters defined in the Frame Relay class name. For each VC, the precedence 
rules are as follows: 


m Use a map class associated with the VC, if it exists. 
m= If not, use a map class associated with the subinterface, if it exists. 
m If not, use a map class associated with the interface, if it exists. 


= If not, use the default parameters. 


(Optional) Apply a map class to a specific DLCI for which a Frame Relay map 
statement exists, as follows: 


frame-relay interface-dlci dici [ietf | cisco] 


class name 
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Traffic-Shaping BECN Support Example 


This topic describes Frame Relay rate enforcement with BECN support. 


Traffic-Shaping BECN Support =xermipic 


Frame Relay Cloud 
64 kbps y 
Branch Office Sid Central Site 


| need to adjust my 
transmit speed 
because of BECNs. 


BCRAN v2.1-8-8 


The figure illustrates a Frame Relay environment where a site has a different speed on its local 
loop connections to the Frame Relay cloud. 


In this environment, without FRTS, the following process can occur: 


1. The central site router sends data to the branch office router. 


2. One of the switches within the cloud determines that it is getting congested with traffic. In 
this case, the congested switch sets the BECN bit in reply packets from the branch office 
router to the central site router. 


3. The central site router notes that the BECN is received but does not slow its transmission 
rate. 


4. Atthis point, packets from the central site router begin dropping within the switch that is 
encountering the congestion. This condition results in retransmissions, further congesting 
the link. 


The solution for this problem is to enable the router to dynamically fluctuate the rate at which it 
sends packets, depending on the BECNs that it receives. For example, if the router begins 
receiving many BECNs, it reduces the packet transmit rate. As the BECNs become intermittent, 
the router increases the packet transmit rate. The goal is to send the optimal amount of traffic 
without incurring drops, thus maximizing throughput. 
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Traffic-Shaping BECN Support Configuration 
Example 


This topic describes how to configure Frame Relay rate enforcement with BECN support. 
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Configuring Traffic-Shaping BECN Support 
Example 


Frame Relay Cloud 


64 kbps 


Branch Office 


central (config) #interface serial 0 

central (config-if)#no ip address 

central (config-if) #encapsulation frame-relay 
central (config-if) eeicaanpnpcppey 


central (config~if) #frame-relay class 


central (config) fmap-class frame-relay becnnotify 
central (config-map~-class) #frame~-relay adaptive-shaping becn 
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Perform these steps to configure traffic shaping with Frame Relay BECN support: 


Step 1 


Step 2 


Step 3 


Define a map class and enter map class configuration mode, as previously discussed. 


Make sure that BECN support is enabled, as follows: 


frame-relay adaptive-shaping becn 
m™ BECN support is disabled by default. 


m= When enabled, BECNs received from the network on this VC are used to further 
regulate the output rate on the VC. As the frequency of BECNs increases, the 
output rate is steadily reduced from peak to average (equivalent of CIR). As 
congestion eases in the network and the frequency of BECNs decreases, the 
output rate is allowed to increase gradually to its configured peak. 


Enable both traffic shaping and per-VC queuing for all VCs (PVCs and SVCs) ona 
Frame Relay interface, as follows: 


frame-relay traffic-shaping 


For VCs where no specific traffic-shaping or queuing parameters are specified, a set of default 
values are used. 


Step 4 


Associate a map class with an interface or subinterface, as follows: 


frame-relay class name 
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Step 5 (Optional) Apply the map class to a specific DLCI for which a Frame Relay map 
statement exists, as follows: 


frame-relay interface-dlci dlci [broadcast] [ietf | cisco] 


class name 
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Traffic-Shaping Example 
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This topic describes an example of Frame Relay rate enforcement with BECN support 
configuration. 


Traffic-Shaping Example 


srnterfeces Serisi? ' 

n> ip address map slews free seley alow vce 

encapsulation frume relay Cram -eelay tx xa 

frame-relay lei-type arst frame-reloy cust quaus--ist 1 

feamecrulsy traflic-shaving ' 

trame-relay class slow uce map-slase trare-velsy trash ua 
frame-re lay troffio-zar 

inte: face 3erieald.1 poirt-cs-posnt Cx ew ew las peavilty-ye 

iw arkieens 29 228 20.1 260.256 ohh. aaa ' 


' 


tp ovpt cost ZOD ercevs Last 100 perstt top wy any aq 2t6t 
burderdth To ereeue Li gt 1L9 permit top oy ony eq fhe 
freme-retey wterctecendler Lot ' 
praoraty-list 2 preteosl deezet high 

dntwsface Suriald.2 pointe lomposnt peavealyrlist 2 peclcol ic <erwl 

ip adereas 1) 1278.30.99 255.255 2S8. 243 Praority-list 7 default meciue 

ip oapf oaar 400 ' 

bandwidth 19 ems Lage 1 protec! op 1 tsat 1D 
Zeame-relay interface-—dlai 02 om toot 1th 
feame-zselay clase faat_voe . 

' “ an oe aver, 1602 Laeat Jos 
trterface Serimid 0 poort--s-paint qumuenLaws 1 qewce 2 bytecsont 030 diat 27 
ip adérean 1).128.30.17 285.255.285.268 cumuenlies 1 qeuew 3 byserszent DO liait 220 
ip oepf covet 209 

berdwidth ~ 

frame-relay interface-dlei 03 


' 
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In this example, the VC on subinterfaces Serial0.1 and Serial0.3 inherit class parameters from 
the main interface, namely those defined in s/ow_vcs. However, the virtual circuit defined on 
subinterface Serial0.2 (DLCI 102) is specifically configured to use map class fast_vcs. 


Map class s/ow_vcs uses a peak rate of 9600 bps and an average rate of 4800 bps. If BECN 
adaptive shaping is configured for this map class, the output rate will be cut back to as low as 
4800 bps in response to received BECNs. This map class is configured to use custom queuing 
using queue-list 1. In this example, queue-list 1 has three queues, with the first two queues 
being defined by access lists 100 and 115. 


Map class fast_vcs uses a peak rate of 64,000 bps and an average rate of 16,000 bps. If BECN 
adaptive shaping was configured for this map class, the output rate would be cut back to as low 
as 4800 bps in response to received BECNs. This map class is configured to use priority 
queuing using priority-group 2. 
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Verification of FRTS 


Various commands are required to monitor and troubleshoot FRTS. This topic describes the 
show frame-relay pve command, which is useful for displaying the parameters that are used in 
traffic shaping and the queuing algorithm that is in use for all interfaces. 


Verification of FRTS 
pe en | 


contral#chow frame-relay pve 110 


PYC Statistics for interface Seriald/O (Frame Relay D173) 
DICI = 110, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE ~ Serial0/U 


input pkts ?713 outpet pkts 1131 in bytes 1728767 
ent bytes 119466 dropped pkte o in pkts dropped 9 
eut pketix deapperd 3 eat bytes denppesd 0 

in FECH pkts 0 in BECN pkts 9 cut PBIX pkto 0 
out BECN pkts 0 in DE sxts 0 cut 0G pkts 0 
ont heast nktsa 1 orm. breast bytes 34 


last time pvc status chanced 03:16:03 
car 3506 bo 85006 be 8 byte lint 159 interval 125 
mancar 4609 byte socrement 150 Aduptowe Scuwpasy GON 
pkts 1182 bytes 120992 pets delayed 27 bytes delayed 2460 
shaping active 
sraffic shaping crops © 
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In addition to Frame Relay PVC status, traffic, and DLCI information, the show frame-relay 
pve [interface interface] [dlci] command includes the parameters that are used in traffic 
shaping, if enabled, and the queuing algorithm that is in use for all interfaces. The specific 
details displayed for traffic shaping and queuing depend on the specific Cisco IOS software 
release. 
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show traffic-shape Command 


This topic describes another command that is used to monitor and troubleshoot FRTS. The 
show traffic-shape command is used to display the current traffic-shaping configuration. 


show traffic-shape Command 
885.57) 


MAX = Bc + Be Bc=Tc+CiR 


Routeréshow tratfic-shape 
iaterface 3e0/9 
Agoess Target Byte Sustain Exouse Interval Lnerusent Adapt 
Laxt Rate Iamst Sata/ant beatx/ant (7) (yt! Actave 
$609 s600 o 125 18¢ Fecu 


Tce =Bc/CIR Do we listen to 
FECN/ BECN? 
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Use the show traffic-shape command to display the current traffic-shaping configuration. The 
command output contains these fields: 


show traffic-shape Command Fields 


Field Description 

Target Rate Rate that traffic is shaped to, in bps. 

Byte Limit Maximum number of bytes transmitted per internal interval. 
Sustain bits/int Configured sustained bits per interval. 

Excess bits/int Configured excess bits per interval. 


Interval being used internally. This interval may be smaller 
than the Bc divided by the CIR if the router determines that 


Interval (ms) traffic flow will be more stable with a smaller configured 
interval. 

Increment (bytes) Number of bytes that are sustained per internal interval. 

Adapt Active Contains BECN if Frame Relay has BECN adaptation 


configured. 
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show traffic-shape statistics Command 


This topic describes the show traffic statistics command, which is used to display the current 
traffic-shaping statistics. 


show traffic-shape statistics Command 
ee | 


Number of packets or bytes 
sent on the Intertace 


Router# show traffac-shape statastics 


Aceeus Cucue Pavkets By bes Packets Bytco Shewing 
list Clesgs tub Delayed Delays = Artive 
2 PSS 317116 115 R971 yea 


Current depth of the associated Actual numberat packets or bytes 
queue tor delayed packets subject to delay due to traffic shaping 


Use the show traffic-shape statistics command to display the current traffic-shaping statistics. 
The command output contains the fields in the following table. 


show traffic-shape statistics Command Fields 


Field Description 

Queue Depth Number of messages in the queue 

Packets Number of packets sent through the interface 
Bytes Number of bytes sent through the interface 


Number of packets sent through the interface that were 


Paenet Delayed delayed in the traffic-shaping queue 


Number of bytes sent through the interface that were 


Bytes Delayed delayed in the traffic-shaping queue 


Contains “yes” when timers indicate that traffic shaping is 


Shaping Active occurring and “no” if traffic shaping is not occurring 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
eS a | 


* Traffic shaping can be used to address bottlenecks 
and packet loss due to mismatched data rates 
between source and destination. 


° Traffic shaping controls the traffic going out an 
interface in order to match its flow to the speed of 


the remote, target interface, and to ensure that the 
traffic conforms to policies contracted for it. 


Next Steps 
For the associated lab exercise, refer to the following section of the course Lab Guide: 


m Lab Exercise 8-1: Establishing a Dedicated Frame Relay Connection and Controlling 
Traffic Flow 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


Q6) 


Q7) 


In the command frame-relay adaptive-shaping becn, what does been indicate? 
A) the mechanism that traffic shaping will use 
B) the name to represent this process 


C) how packets will be prioritized 


How many queuing mechanism(s) may be associated with a map class? 


A) one 
B) two 
C) three 
D) four 


The encapsulation frame-relay command enables Frame Relay on an interface. 


A) true 

B) false 

Your central site has a T1 connection and the branch offices have 56-kbps connections. 
You should apply traffic shaping at the _—sttolimit _ traffic. 

A) central site; outgoing 

B) central site; incoming 


C) branch offices; outgoing 


D) branch offices; incoming 


Traffic-shaping rate enforcement will optimize asynchronous Frame Relay 


connections. 
A) true 
B) false 


The command frame-relay class name may be used on physical interfaces only. 
A) true 
B) false 


Which command is used to configure traffic-shaping BECN support? 


A) frame-relay class becn 
B) frame-relay adaptive-shaping becn 
C) no configuration necessary, enabled by default 
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Q8) What does 1200 refer to in the command frame-relay traffic-rate 1200 4800? 
A) committed information rate 
B) average rate 
C) peak rate 
D) normal rate 
Q9) Both the show queuing and show interfaces commands display queuing information 
about interfaces. 
A) true 
B) false 
Q10) The show traffic-shape command output contains the following fields except: 
A) target rate 
B) byte limit 
C) interval (sec) 
D) increment (bytes) 
Q11)_ The show traffic-shape statistics command contains the following fields except: 
A) packets 
B) bytes 
C) packets delayed 
D) packets rejected 
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Quiz Answer Key 


Ql) 


Q3) 


Q4) 


Q5) 


Q6) 


Q7) 


Q8) 


A 


Relates to: 


A 


Relates to: 


A 


Relates to: 


A 


Relates to: 


A 


Relates to: 


B 


Relates to: 


B 


Relates to: 


B 


Relates to: 


Relates to: 


Relates to: 


Relates to: 
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Step 1: Configuration of FRTS 


Step 2: Configuration of FRTS 


Steps 3-5: Configuration of FRTS 


Traffic-Shaping Rate Enforcement 


Traffic-Shaping Rate Enforcement Configuration Example 


Traffic-Shaping BECN Support Example 


Traffic-Shaping BECN Support Configuration Example 


Traffic-Shaping Example 


Verification of FRTS 


show traffic-shape Command 


show traffic-shape statistics Command 


Configuring Frame Relay with Traffic Shaping 
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Module 9 | 


Implementing DDR Backup 


Overview 


This module describes how to configure a backup connection for a primary connection, such as 
a Frame Relay serial connection, in the event that the link goes down or is overused. 


Objectives 
Upon completing this module, you will be able to: 
™ Configure a backup connection that activates upon primary line failure 


™ Configure a backup connection to engage when the primary line reaches a specified 
threshold 


= Configure a dialer interface and a specific physical interface to function as backup to the 
primary interface 


Outline 


The module contains these lessons: 
= Configuring Dial Backup 


™ Routing with the Load Backup Feature 
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Configuring Dial Backup 


Overview 


This lesson describes how to configure a backup connection for a primary connection, such as a 
Frame Relay serial connection, in the event that the link goes down or is overused. 


Relevance 


Dial backup provides protection against WAN downtime by allowing the network administrator 
to configure a backup serial line through a circuit-switched connection. 


Objectives 


Upon completing this lesson, you will be able to: 


Configure a backup connection that activates upon primary line failures 


Configure a backup connection to engage when the primary line reaches a specified load 
threshold 


Identify the steps that are needed to correctly configure a backup connection to engage 
when the primary line fails 


Configure a backup connection to correctly identify when the primary line fails and to 
delay engaging when the primary line fails 


Configure a backup connection to delay engaging when the primary line fails and delay the 
shutdown of the backup interface after the primary interface is re-enabled 


Show an example of a configuration of a backup connection that will engage when the 
primary line reaches a specified load threshold of 60 percent 


Identify the limitations of using a physical interface as a backup interface 


Identify scalability measures for backup interfaces by using dialer profiles 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the /ntroduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the /nterconnecting Cisco Network Devices (ICND) course 


Outline 
This lesson includes these topics: 
m Overview 
= Dial Backup Overview 
m™ Dial Backup for High Primary Line Usage 
= Activation of Backup Interfaces for Primary Line Failures 
= Activation of Dial Backup 
m™ Dial Backup Activation Example 
= Configuration of Dial Backup for Excessive Traffic Load 
™ Configuration Example of Dial Backup for Excessive Traffic Load 
= Backup Limitations with Physical Interfaces 
m™ Dial Backup with Dialer Profile 
= Configuration of a Backup Dialer Profile 
m@ Daialer Profile Backup Example 
= Summary 


B Quiz 
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Dial Backup Overview 


This topic describes configuring a backup connection that activates upon primary line failures. 


Dial Backup for Primary Line Failures 


Secondary 


* A backup connection will enable if the primary line 
fails 


Dial-on-demand routing (DDR) backup is a method of bringing up an alternate dialup link if 
the primary WAN link fails. When the router configured for DDR backup recognizes that the 
primary connection to the remote site has been lost, it initiates a DDR connection to the remote 
site using an alternative dialup connection. In some cases, when a single permanent virtual 
connection (PVC) or data-link connection identifier (DLCI) fails on a Frame Relay multipoint 
interface, the PVC failure will not initiate a dial backup connection. The router will initiate a 
DDR backup connection only if it detects that the primary interface has failed. 


The backup interface can be a physical interface or an assigned backup interface to be used in a 
dialer pool. Backup interfaces for a primary line can be an ISDN BRI interface, an 


asynchronous interface, dialer interface, or another serial interface. 


Backup interfaces are beneficial for redundancy in case primary lines fail. The example in the 
figure illustrates an ISDN backup for a Frame Relay network. 
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Dial Backup for High Primary Line Usage 


This topic describes configuring a backup connection to engage when the primary line reaches 
a specified threshold. 


Dial Backup for High Primary Line Usage 


Secondary 
The primary line is 
at 50 percent 
capacity. Enable 
the secondary link. 


* A backup connection will enable if the primary line 
reaches a specified threshold 
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In addition to backing up a primary line in case of failure, a secondary backup interface can be 
configured to activate when one of the following circumstances occurs: 


m™ = The load on the primary line reaches a specified threshold 
m™ The load on the primary line exceeds a specified threshold 
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Activation of Backup Interfaces for Primary Line 
Failures 


This topic describes the steps needed to correctly configure a backup connection to engage 
when the primary line fails. 


Activating Dial Backup for 
Line Failures 


Router (config-if)#backup interface interface-type number 


¢ Specifies the backup interface 


Router (config-if)#backup delay {enable-delay | never} 

{disable-delay | never} 

* Designates when to activate the backup line if a 
primary line fails 


Perform these steps to configure backup if a primary line goes down: 
Step 1 Select the primary interface and configure it as needed (for DDR, Frame Relay 
interfaces and subinterfaces, ATM, and so on). 


Step 2 On the primary interface, use the backup interface interface-type number command 


to specify the backup to be used if a dial backup is needed. The command syntax is 
shown in the table. 


backup interface interface-type number Command 


Command Description 


interface-type number Specifies the interface or dialer interface to use for backup. 
Interface number specifications vary from router to router. For 
example, some routers require you to just specify the port number, 
while others require you to specify the slot and port. 
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Step 3 Define the period of time to wait before enabling the backup link when the primary 
link goes down with the backup delay fenable-delay | never} {disable-delay | 
never} command. The command syntax is shown in the table. 


backup delay {enable-delay | never} {disable-delay | never} Command 


Command Description 


enable-delay Number of seconds that elapse after the primary line goes down 

before the Cisco IOS software activates the secondary line 
disable-delay Number of seconds that elapse after the primary line comes up 

before the Cisco IOS software deactivates the secondary line 


never Prevents the secondary line from being activated or deactivated 
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Activation of Dial Backup 


This topic describes configuring a backup connection to correctly identify when the primary 
line fails, and configuring a backup connection to delay engaging when the primary line fails. 


Activating Dial Backup 


Branch Office 


Router#show interface dialer 1 
Dialerl is standby mode, line protocol is dow 

Hardware is Unknown 

Intecnet ackizrewx= is 10.1.5.1/24 

MTU LSOC bytex, Bw SE Kbit, DLY 20000 usec, cely 255/255, loed 1/255 
Encarpsnlation PPP, loopback not set 

DTR is pulsed for 1 seconds on reset 

<Output Omitted> 


When a backup interface is specified on a primary line, the backup interface is placed in 
standby mode, as illustrated in the figure. Once in standby mode, the backup interface is 
effectively shut down until enabled. The backup route between the two company sites is not 
resolvable and does not appear in the routing table. 


The primary link is the only route that appears in the routing table. The branch office router 
continues to monitor the line protocol of the primary interface or subinterface. 


When the branch office router receives an indication that the primary interface is down, the 
backup interface is brought up. The amount of time that the device waits to bring up the backup 
interface is adjustable using the backup delay command. You can also configure the backup 
interface to go down (after a specified time) when the primary connection is restored. 


The backup interface command is dependent on the router identifying that an interface is 
physically down. Because of this, the backup interface command is commonly used to back 
up ISDN BRI connections, asynchronous lines, and leased lines. This is because the interfaces 
to such connections go down when the link fails; therefore, the backup interface can quickly 
identify such failures. The backup interface approach may also be used for point-to-point 
Frame Relay subinterfaces. However, with Frame Relay, the main or multipoint interfaces can 
remain in an up/up state even if the PVC goes down. This could cause the router to fail to 
detect a down primary Frame Relay connection, and thereby fail to bring up the backup link. 


A new development for end-to-end PVC management is a Cisco proprietary feature known as 
Frame Relay end-to-end keepalive. In Frame Relay end-to-end keepalive, keepalive packets are 
encapsulated in Frame Relay. This feature provides a status to verify that end-to-end 
communications are working and that traffic is getting through. This feature also allows a Cisco 
device to quickly detect that a link is down and enable the backup link. 
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Dial Backup Activation Example 


This topic describes configuring a backup connection to delay engaging when the primary line 
fails, and delaying the shutdown of the backup interface after the primary interface is re- 
enabled. 


Dial Backup Activation Example 


Branch Office 


Router (config)@interface serial 3/1 
Router (config-if) Wbackup interface bri 0/0 
Router (config-if) #backup delay 20 40 


. k Enable backup 20 
> ke 
ge facretny ~~ seconds after the 


primary line Silure. 
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In the figure, interface serial 3/1 is the primary interface. If the primary interface is down for 20 
seconds, the backup interface, bri 0/0, is activated. The secondary line deactivates 40 seconds 
after the primary line is re-enabled. 


Note The example in the figure illustrates only the commands to enable a backup. The interface 
must also be configured as needed (for DDR, Frame Relay, ATM, and so on). 
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Configuration of Dial Backup for Excessive 
Traffic Load 


This topic describes configuring a backup connection to engage when the primary line reaches 
a specified load threshold. Also discussed are the steps that are needed to engage a backup 
interface when the primary line reaches a specified load threshold. 


Configuring Dial Backup for Excessive 
Traffic Load 


¢ Specifies the backup interface 


Router (config-if)#backup load {enable-threshold | never} 
{disable-load | never} 


¢ Specifies when the backup interface should 
enable or disable 


You can configure a backup to activate the secondary line based on the traffic load on the 
primary line. The software monitors the traffic load and computes a 5-minute moving average. 
The 5-minute moving average can be modified to provide a more responsive load backup with 
the load-interval command. If this average exceeds the value you set for the line, the 


secondary line is activated. In addition, depending on how the line is configured, some or all of 
the traffic flows onto the secondary dialup line. 
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9-12 


Perform these steps to configure backup if a primary line reaches or exceeds a certain 
threshold: 


Step 1 Select the primary interface and configure it as needed (for DDR, Frame Relay 
interfaces and subinterfaces, ATM, and so on). 


Step 2 On the primary interface, use the backup interface interface-type number command 
to specify the backup to be used if a dial backup is needed. The command syntax is 
shown in the table. 


backup interface interface-type number Command 


Command 


Description 


interface-type number Specifies the interface or dialer interface to use for backup. 


Interface number specifications vary from router to router. For 
example, some routers require you to just specify the port number, 
while others require you to specify the slot and port. 


Step 3 To set the traffic load threshold for dial backup service, use the backup load 


fenable-threshold | never} {disable-load | never} command. The command syntax is 
shown in the table. 


backup load {enable-threshold | never}{disable-load | never} Command 


Command Description 


enable-threshold Percentage of the available bandwidth of the primary line that the 


traffic load must exceed to enable dial backup 


disable-load Percentage of the available bandwidth of the primary line that the 


traffic load must be less than to disable dial backup 
never Prevents the secondary line from being activated or deactivated 


Note Because the backup load is determined on an interface, the backup load feature cannot be 
configured on a subinterface. 


Step 4 (Optional) To change the length of time for which data is used to compute load 
statistics, use the load-interval seconds interface configuration command. The 
command syntax is shown in the table. 


load-interval seconds Command 


Command Description 


seconds Length of time for which data is used to compute load statistics; a 
value between 30 and 600 that is a multiple of 30. Used to increase 
the accuracy of the interface load. 


Warning: This command will increase the load on the CPU because 
of more frequent calculations. 
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Configuration Example of Dial Backup for 
Excessive Traffic Load 


This topic describes the configuration of a backup connection to engage when the primary line 
reaches a specified load threshold of 60 percent. 


Configuration Example of Dial Backup for 
Excessive Traffic Load 


‘ 
ISON 9 - — -- = bride 


The backup interfce 
Router (config)#interface serial 3/1 


Router (config-if) fbackup interface bri yt 


J aoe 
Router (confag-if) fhbackup load | 60 5 = = Of the pny ee 
‘ . 


The load command i The BRI cae bandiel 
is used for backing if the primary line 
up traffic overloads. threshold exceeds 60 percent. 


The example in the figure sets the traffic threshold to 60 percent of the primary line serial 3/1. 
When the load is exceeded, the secondary line, BRI 0/0, is activated, and is not deactivated 
until the load is less than 5 percent of the primary bandwidth. 


Note The example in the figure illustrates only the commands to enable a backup. The interface 
must also be configured as needed (for DDR, Frame Relay, ATM, and so on). 
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Backup Limitations with Physical Interfaces 


This topic describes the limitations of using a physical interface as a backup interface. 


Backup Limitations with Physical Interfaces 


Branch Office iuenn Roba? Central Site 


Network === ~ Si 


* A physical interface cannot be a backup and 
active at the same time 


inc. All rights reserved. 


If a physical ISDN BRI interface is used as a backup to a primary connection, it will be placed 
in standby mode and cannot be used as a link to another site. This method illustrates an 
inefficient use of router resources, because the physical BRI interface can be used to send 
traffic across the WAN. 


In the figure shown, the branch office wants to back up its Frame Relay connection with ISDN 
BRI. However, the branch office also wants to use the same BRI interface as a DDR link to a 
small office, home office (SOHO). If the branch office places the physical BRI link in standby 
mode, it is deactivated and will not activate until the primary line fails or reaches a specified 
threshold. Thus, the BRI link cannot be used to connect to the SOHO. 
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Dial Backup with Dialer Profile 


This topic describes the scalability measures for backup interfaces by using dialer profiles. 


Using Dialer Interfaces as the 


Backup Interface 
ee ee ae SINUS | 


Dialer Interface 1 Dialer Interface 2 


Use this interface Use this interface 
as the backup for another 


interface. connection. 


Specify this physical interface 
as the interface to use in both 
events by making it amember 


of both pools. 
Physical Interface 


¢ A dialer interface can be used as the backup 
without deactivating the physical interface. 
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With dialer profiles, the BRI connection in the preceding figure can be used to back up the 
primary Frame Relay link between the central site and branch office. At the same time, a BRI 
connection can be configured for DDR between the branch office and SOHO. By configuring 
one dialer profile to act as the backup line, this profile will be in standby mode until engaged. 
Configuring another dialer profile allows for communication between the branch office and 
SOHO sites. Thus, configuring the physical BRI interface to be a member of both dialer pools 
enables the physical BRI interface for backup and remote connectivity. 


Note When you use a BRI for a dial backup, neither of the bearer (B) channels can be used while 
the interface is in standby mode. In addition, when a BRI is used as a backup interface and 
the BRI is configured for legacy DDR, only one B channel is usable. After the backup is 
initiated over one B channel, the second B channel is unavailable. If the backup interface is 
configured for dialer profiles, both B channels can be used. 
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Configuration of a Backup Dialer Profile 


This topic describes configuring a backup connection to engage when the primary line fails, 
using dialer profiles. Also described is configuring a backup connection to engage when the 
primary line reaches a specified load threshold, using dialer profiles. 


Configuring a Backup Dialer Profile 


Dialer Interface 


Step1 interface dialer number 


ip unnumbered loopback0 
encapsulation ppp 
dialer remote-name name 
dialer string string 


dialer pool number 


dialer-group number 


A dialer interface can be configured as the logical intermediary between one or more physical 
interfaces. Another physical interface that is configured to belong to a dialer pool can also be 
used as the backup interface. 


Perform these steps to configure a dialer interface and a specific physical interface to function 
as a backup to other physical interfaces: 


Step 1 Create and configure a dialer interface as described in Module 7, “Using DDR 
Enhancements.” 
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This table reviews how to configure a dialer interface. 


Review of Commands for Configuring a Dialer Interface 


Command Description 

interface dialer number Creates a dialer interface 

ip unnumbered loopback0O Specifies an IP address for your dialer interface 
encapsulation ppp Specifies PPP encapsulation 

dialer remote-name name Specifies the CHAP authentication name of the remote router 
dialer string string Specifies the remote destination to call 

dialer pool number Specifies the dialer pool to use for calls to this destination 
dialer-group number Assigns the dialer interface to a dialer group 


Configuring a Backup 
Dialer Profile (Cont.) 


Dialer Interface 


interface dialer nunber 


ap unnumbered loopback? 
encapsulation pop 
dialer remote-nane azne 
dialer string striag 
dialer pool number 
dialer-group sunber 
Physical Backup Interface 

Interface type number 

encapsulation ppp 

Prp authentication chap 


dialer pool-member number 


Step 2 Configure the physical BRI interface for ISDN using PPP encapsulation. 


Step 3 Use the dialer pool-member number command to place the physical BRI interface 
into the same dialer pool as the backup dialer interface. 


dialer pool-member number Command 


Command Description 


number Makes the interface a member of the dialer pool. This value must 


match the appropriate dialer pool number. 
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Configuring a Backup 


Dialer Profile (Cont.) 
ans Ci Sains || 


Dialer Interface 


arterteace ciasler rams 


ap unmumbered loupbackt 


encapsulation ppp 


caaler renote-nane nage! | Primary Interface 


Mmaler steing string Ssitwctece anctweface-typw cusbus 
Bool Gisler peol sumber 


ap unounsbered lovpbackd 
dialer-crsup mimber 


backup interface dialer rurber 
Physical Backup Interface backup {delay (anadlevielar 


2 jancertsce interrace-rype nember dicabie delay)! lost 


encapsulation ppp funwhie- thewsbeid 


disahie-thresdcid) } 
Ppp authentication chap 


cdhaler pocol-member number 


Now configure the primary interface to use the dialer interface as backup. 
Step 4 Enter interface configuration mode for the primary interface. 


Step 5 Specify the backup interface dialer to be used with the backup interface dialer 
number command. 


backup interface dialer number Command 


Command Description 


number Specifies the interface or dialer interface to use for backup. 
Interface number specifications vary from router to router. For 
example, some routers require you to only specify the port 
number, while others require you to specify the slot and port. 


Step 6 Specify the delay or the load percent after which the backup engages with the 
backup {delay enable-delay disable delay | load enable-threshold disable- 
threshold} command. 
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Dialer Profile Backup Example 


This topic describes a backup connection that engages when the primary line fails. This is done 
using dialer profiles and configuring a backup connection. 


Dialer Profile Backup Example 


anterface daisler 3 

ip unnumbered Loopbacko 
encapoulation ppp 

dialer remote-name Rested 
dialer pool 1 

dialer string 5551212 


dialer-group 1 


interface bri 0/9 
encapsulation ppp 
dialer pool-member 1 
ppp authenticatian chap 


anterfince werasl 3/1 
ap wevumbered loopback? 


“backup delay 5 10 


The figure shows the configuration of a site that backs up a leased line using a BRI interface. 
One dialer interface, dialer 0, is defined. The leased line, serial 3/1, is configured to use the 
dialer interface, dialer 0, as a backup. The dialer interface uses dialer pool 1, which has 
physical interface bri 0/0 as a member. Thus, physical interface bri 0/0 can back up the serial 
interface. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
EE SS eee | 


* Dial backup provides protection against WAN 
downtime. 


* DDR backup is a method of bringing up an 
alternate dialup link should the primary WAN 
link fail. 


¢ When a backup interface is specified ona 
primary line, the backup interface is placed in 
standby mode. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


Backup interfaces for a primary line can be any of the following, except 

A) an ISDN interface 

B) an asynchronous interface 

C) an Ethernet interface 

D) a dialer pool 

A secondary backup interface can be configured to activate when any of the following 
circumstances occur, except when 

A) the primary line load exceeds a specified threshold 

B) the primary line fails 

C) the primary line load reaches a specified threshold 


D) the router hardware fails 


Which command specifies the interface or dialer interface to use for backup? 

A) interface number 

B) interface-type number 

C) interface-type 

D) enable-delay 

Which command is used to adjust the amount of time that the device waits to bring up 
the backup interface? 

A) interface backup 

B) backup interface 

C) delay backup 

D) backup delay 

In the command backup delay 25 40, how long will it take the backup line to activate 
if the primary goes down? 

A) 25 seconds 

B) 40 seconds 

C) between 25 to 40 seconds 


D) greater than 40 seconds 
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Q6) 


Q7) 


Q8) 


Q9) 


Q10) 


Building Cisco Remote Access Networks (BCRAN) v2.1 


The software monitors the traffic load and computes a moving average for what period 


of time? 


A) 
B) 
C) 
D) 


200 seconds 
250 seconds 
300 seconds 
350 seconds 


In the command backup load 60 5, when the load is exceeded the secondary line is 
activated and will not be deactivated until the combined load is 


A) 
B) 
C) 
D) 


equal to 5 percent of the primary bandwidth 

less than 5 percent of the primary bandwidth 
greater than 60 percent of the primary bandwidth 
equal to 60 percent of the primary bandwidth 


If a physical link is used as a backup to a primary connection, what mode is it in? 


A) 
B) 
C) 
D) 


standby mode, and can be used as a link to another site 
active mode, and cannot be used as a link to another site 
active mode, and can be used as a link to another site 


standby mode, and cannot be used as a link to another site 


Using dialer profiles, a BRI connection can be used for both a backup for a Frame 
Relay connection and DDR between the branch office and SOHO, provided : 


A) 


B) 


C) 


the physical BRI interface is a member of both dialer pools and the profile is in 
active mode 


the physical BRI interface is a member of both dialer pools and the profile is in 
standby mode 


the physical BRI interface is a member of one of the pools and the profile is in 
standby mode 


Which of the following commands is required to set up a dialer profile? 


A) 
B) 
C) 
D) 


dialer rotary-group 1 

dialer map ip 131.108.2.5 name cisco 5552121 
dialer string 5551234 

PPP multilink 
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Ql11) In which situation would it be advantageous to use dialer profiles over legacy DDR 


configurations? 

A) One physical interface needs to call multiple sites with the same 
communication parameters. 

B) All asynchronous interfaces need to share the same configuration parameters. 

C) All of the asynchronous interfaces are members of the same hunt group. 

D) Physical interfaces need to have different characteristics based on incoming or 


outgoing calls. 
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Quiz Answer Key 


Ql) Cc 
Relates to: Dial Backup Overview 
Q2) D 
Relates to: Dial Backup for High Primary Line Usage 
Q3)  B 
Relates to: Activation of Backup Interfaces for Primary Line Failures 
Q4) =D 
Relates to: Activation of Dial Backup 
Q5) A 
Relates to: Dial Backup Activation Example 
Q6) Cc 
Relates to: Configuration of Dial Backup for Excessive Traffic Load 
Q7)  B 
Relates to: Configuration Example of Dial Backup for Excessive Traffic Load 
Q8) D 
Relates to: Backup Limitations with Physical Interfaces 
Q9)  B 
Relates to: Dial Backup with Dialer Profile 
Q10) c¢ 
Relates to: Configuration of a Backup Dialer Profile 
Qll) D 


Relates to: Dialer Profile Backup Example 
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Routing with the Load Backup 
Feature 


Overview 


This lesson discusses how load sharing and load balancing work with different routing 
protocols when the load backup feature is enabled. 


Relevance 


To effectively manage an enterprise network, you must understand how to maintain 
communication in the event of a primary line failure or add additional bandwidth during times 
of primary line congestion. 


Objectives 


Upon completing this lesson, you will be able to: 


Identify bandwidth utilization issues affecting OSPF routing during load sharing when the 
primary line reaches a specified load threshold 


Identify bandwidth utilization issues affecting EIGRP and static routing during load sharing 
when the primary line reaches a specified load threshold 


Identify the commands to verify dial backup configuration 


Configure a floating static route as a backup connection that activates upon primary line 
failures 


Describe how to use dialer watch as a backup connection that activates upon primary line 
failures 


Configure dialer watch as a backup connection that activates upon primary line failures 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (CCNAB) 


course 


m All knowledge presented in the /nterconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 


Overview 

Load Sharing with OSPF and EIGRP 

Verification of Dial Backup Configuration 
Configuration of Floating Static Routes as Backup 
Dialer Watch as Backup 

Configuration of Dialer Watch 

Summary 


Quiz 
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Load Sharing with OSPF and EIGRP 


This topic describes the bandwidth utilization issues affecting Open Shortest Path First (OSPF) 
and Enhanced Interior Gateway Routing Protocol (EIGRP) routing during load sharing when 
the primary line reaches a specified load threshold. 


Load Sharing with OSPF 


Branch Office Ceritral Site 


Load Sharing 


Branch Office 
Cost = 200 


No Load Sharing 
¢ 
brill ~ — — = ~« 
Cost=100 
J 


1 


Secondary 
* Load sharing will occur if the costs are equal. 


If the OSPF routing protocol is used, the load backup feature load-shares between the primary 
and backup links after the backup link is activated. However, the cost assigned to the primary 
link and the backup link must be equal if both links are used. If one link has a lower cost than 
the other, all routing will occur over the link with the lower cost, even though both lines are up. 


OSPF does not support load balancing between the primary link and the backup connection if 
the links are not equal. If load balancing is to occur in this environment, the backup connection 
must be able to support comparable bandwidth environments. (For example, a 64-kbps ISDN 
connection backs up a 64-kbps serial connection.) 
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Load Sharing with EIGRP 


Branch Office {7 1 Central Ste 


<input omitted> 
; Load share even if 
Beanch (config) #@recuter eiszp 100 the fk with the worne 
ranch (config-reuter) #variance 2 : metric is 2 times worse 
-raffic-share balanced 


Branch (config-router) #tr: 


| The best route transports 
| 2 times the traffic 
| of the worst route. 


If EIGRP is used, the load backup feature will load-share between the primary and backup links 
after the backup link is activated. However, the metric assigned to the primary link and the 
backup link must be equal if both links are to be used. If one link has a lower metric than the 
other, all routing will occur over the link with the lower metric even though both lines are up. If 
load balancing is to occur in this environment, each connection must be able to support 
comparable bandwidth environments. (For example, a 64-kbps ISDN link backs up a 64-kbps 
serial connection.) 


Instead of relying on equal metrics to load-share and load-balance, the variance configuration 
command can also be used to control load balancing in an EIGRP environment. Use the 
variance multiplier command to configure unequal-cost load balancing by defining the 
difference between the best metric and the worst acceptable metric. An oversimplified 
explanation is that a router can use paths with worse routing metrics up to a value less than the 
current best route metric times the variance. 


variance multiplier Command 


Command Description 


multiplier The range of metric values that will be accepted for load balancing. 
Acceptable values are nonzero, positive integers. The default value 
is 1, which means equal-cost load balancing. In the example, the 


multiplier is set to 2. 


Setting this value lets the router determine the feasibility of a potential route. 
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If the following two conditions are met, the route is deemed feasible and can be added to the 
routing table for load sharing: 


= Local best metric (current FD) > best metric (AD) learned from the next router. This 
condition exists if the next router in the path is closer to the destination than the current 
router. This approach prevents routing loops. 


m The variance number multiplied by the local best metric (current FD) > metric (FD) 
through the next router. This condition is true if the metric of the alternate path is within 
the variance. 


In the figure, the variance 2 command specifies to use both paths even if the metric of the 
backup path is two times worse than the primary path. 


You can use the traffic-share {balanced | min} command to control how traffic is distributed 
among EJGRP load-sharing routes. The default is four routes and the maximum is six routes. 


The traffic-share balanced command distributes traffic proportionally to the ratios of the 
metrics. As a result of the variance 2 command, the best route will transport two times the 
traffic of the worst route. The traffic-share min command specifies to use routes with the least 
cost. 


Note Advertised distance (AD) is the metric that a neighbor uses to reach a given destination 
network. The AD is advertised as part of the EIGRP update for a given network. A router 
receiving the update adds its cost to reach that neighbor to the AD. The sum of these values 
provides the feasible distance (FD) to reach that destination network through that neighbor 
router. 
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Verification of Dial Backup Configuration 


This topic describes the commands that are used to verify dial backup configuration. 


Verifying the Dial Backup contiguration 


Routeréshow interface « 3/1,1 
Serial3/1.1 is up, line protecel is up 
Hardware is Co2430 in sync mode 


1500 bytes, BW 
Encepswulaticn PUAME-MELAY 
<Oetput Omi tted> 


alex 


Ging prateaol 


Internet ackireas is 10,1.5,.1/24 
MTU 1500 bytes, BW é Kbit, DLY 20000 usec, rely 258/285, load 1/255 |. 
<Outpet Omitted> : 


BCRAN v2.19-4 


To verify a backup line link for a primary line connection, enter the show interface type 
number command. 


The primary interface output in the figure illustrates that dialer 1 is specified as a backup if the 
serial subinterface 3/1.1 fails. If the line protocol on the subinterface goes down because of the 
Local Management Interface (LMI) state changing from ACTIVE to INACTIVE or 
DELETED, the backup will be enabled 20 seconds later. The backup will deactivate 40 seconds 
after the serial subinterface reactivates. 


The backup interface output shows the backup link in standby mode until the primary line 
subinterface line protocol goes down. 
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Configuration of Floating Static Routes as 
Backup 


This topic describes configuring a floating static route as a backup connection that activates 
upon primary line failures. 


Floating Static Routes as sang 


Primary — Oefautt 
Administrative Distance = 110 


Branch Office Central Site 


Frame Relay 
10.1.4.1.. . . — Sines oo ww 10143 


Secondary — Administrative 
Distance = 130 


Router (config) #ip route 10.1.2.0 255 .255,255.0 10.1,5.2 130 


| The administrative distance is higher 
| overthe ISDN link. it will activate only 
if the Frame Relay link is down. 


Floating static routes are static routes that have an administrative distance greater than the 
administrative distance of dynamic routes. The administrative distance can be configured on a 
static route so that the static route is less desirable than a dynamic route, and the static route is 
not used when the dynamic route is available. However, if the dynamic route is lost, the static 
route can take over and traffic can be sent through this alternate route. If the alternate route is 
provided by a DDR interface, the DDR can then be used as a backup mechanism. 


Note The administrative distance values of some common Interior Gateway Routing Protocols 
(IGRPs) are: EIGRP: 90, IGRP: 100, OSPF: 110, Routing Information Protocol (RIP): 120, 
and External EIGRP: 170. 


In the previous example, the dynamic primary route to the central site Ethernet network, 
10.1.2.0, is over the Frame Relay network, 10.1.4.0. A floating static route over the ISDN 
network, 10.1.5.0, is configured with the administrative distance of 130. However, the route 
over the ISDN network will only be used to get to network 10.1.2.0 if the Frame Relay network 
is down because the administrative distance is set higher on the ISDN connection. 


Floating static routes are independent of line protocol status. The line protocol of a Frame 
Relay multipoint interface may not go down if the PVC becomes inactive. This situation 
defeats the purpose of configuring backup interfaces. A failed PVC may not bring down a line 
protocol status; thus, dynamic routes will not be flushed from the routing table. The floating 
static route with a higher administrative distance will not be installed in the routing table of that 
router. 
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To configure a floating static route, establish a static route for a designated network by 
specifying a higher administrative distance than that of the dynamic routing protocol. Use the 
ip route command to configure a floating static route. The ip route command arguments are 
listed in the table. 


ip route Command Arguments 


Command Description 

Network-number IP address of the target network or subnet 

Network-mask Network mask that lets you mask network and subnetwork bits 

IP address IP address of the next hop that can be used to reach that network 


in standard IP address notation. Example 1.1.1.1 
Interface Network interface to use 
Distance (Optional) An administrative distance, which is a rating of the 


trustworthiness of a routing information source, such as an 
individual router or a group of routers 
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Dialer Watch as Backup 


This topic describes how to use dialer watch as a backup connection that activates upon 
primary line failures. 


Using Dialer Watch as Backup 


Branch Oftice Central Ste 
112014 
S34 


brid -~ —- — — - ISON "= — == bith 
Network 


Secondary The rowte 
WA2W24 


appears in 
the routing 


Router (config) tinterface dialer 1 table 
Router (config-if) @disler watch-qroup 1 


Router (config) tdialer watehiet 1 in 10.1.3.0 DSS _ FAR 8K 6 


the watched rule is 
removed from the routing 
table, the Interface will 
call the remote site. 


As an alternative to floating static routes, you can use the dialer watch commands. Dialer 
watch is a backup feature that integrates dial backup with routing capabilities. Dialer watch 
provides reliable connectivity without relying solely on defining interesting traffic to trigger 
outgoing calls to the central site router. Hence, dialer watch can also be considered regular 
DDR with no requirement for interesting traffic, just lost routes. By configuring a set of 
watched routes that define the primary interface, you are able to monitor and track the status of 
the primary interface as watched routes are added and deleted. 


The figure shows the configuration of the branch site using dialer watch to monitor the network 
10.1.2.0/24 coming from the central site. This network and mask must be an exact match or 
dialer watch will fail. 


With dialer watch, the router monitors the existence of a specified route and if that route is not 
present, it initiates dialing of the backup link. Unlike the other backup methods (such as backup 
interface or floating static routes) dialer watch does not require interesting traffic to trigger the 
dial. Instead it triggers a dial backup call when a watched route is deleted from the routing 
table. 


When a monitored network is deleted from the routing table of a dialer watch router, the router 
checks for another valid route for the lost network. If an alternate valid route using a 
nonbackup interface exists for a deleted watched network, the primary link is considered active 
and the backup link is not initiated. However, if there is no valid route, the primary line is 
considered down and unusable, and the router then initiates a dial backup call. Upon activation 
of the secondary link, the router forwards all traffic destined for the remote network over the 
backup link. 
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After the dial backup link is initialized, the router checks to see if the primary link has been re- 
established after each idle timeout period. If the router finds that the primary link remains 
down, the idle timer resets and the backup link remains active. As soon as the primary link is 
re-established, the router updates its routing table and routes traffic over the primary link. 


Because traffic is no longer routed over the dialup connection, the backup link deactivates as 
the idle timeout expires. 


Note Dialer watch is supported with IGRP, EIGRP, and OSPF routing protocols only. 
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Configuration of Dialer Watch 


This topic describes how to configure dialer watch as a backup connection that activates upon 
primary line failures. 


Dialer Watch Example 


Branch Office Central Ste 
10.1.2.0/24 


4 


N 
_—=—=— = britd 


Router tconfig) Qinterlace dialer + 
Rowter founfig-iftb@dialer watch-group } 


Router (config) Pdialer watchlist 1 ip 10.3.2.0 255.255.255.0 


Use the three steps below to configure a dialer watch function. The command parameters are 
described respectively in the tables below. 


Step 1 Define the IP addresses or networks to be watched using the dialer watch-list 
group-number ip ip-address address-mask command in global configuration mode. 


dialer watch-list group-number ip ip-address address-mask Command 


Command Description 


group-number Dialer list number 


The IP address of the network being watched 


ip-address address-mask 


Step 2 Enable dialer watch on the backup interface. Use the dialer watch-group command 
in interface configuration mode. 


dialer watch-group group-number Command 


Command Description 


Dialer watch group number references the dialer 
list number 


group-number 
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Step 3 To set a delay timer on the backup interface to ensure stability for flapping 
interfaces, use the optional dialer watch-disable seconds command. 


dialer watch-disable seconds Command 


Command Description 


seconds Number of seconds to set for the delay timer 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
err Sdn SOMO PS | 


° To effectively manage an enterprise network, you 
must use the load backup feature to maintain 
communication in the event of a primary line 
failure, or add additional bandwidth during times of 


primary line congestion. 
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Next Steps 


For the associated lab exercise, refer to the following section of the course Lab Guide: 


m Lab Exercise 9-1: Enabling a Backup to a Primary Connection 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Q1) How many links will OSPF load-balance across if the costs are different? 


A) 
B) 
C) 
D) 


0 
1 
2 
3 


Q2) — Under what conditions will unequal-cost load balancing occur? 


A) The metric assigned to the primary link must be greater than the backup link. 

B) The metric assigned to the primary link and the backup link must be equal if 
both links are to be used. 

C) The metric assigned to the primary link must be less than the backup link. 

D) There can be no metric assigned to the backup link. 

Q3) | What command must be entered to verify a backup line link for a primary line 

connection? 

A) show running-config 

B) show version 

C) show startup-config 

D) show interface 

Q4) — Under what conditions is the static route NOT used when the dynamic route is 

available? 

A) when the static route has an administrative distance greater than the 
administrative distance of dynamic routes 

B) when the static route has an administrative distance less than the administrative 
distance of dynamic routes 

C) when the static route has an administrative distance equal to the administrative 
distance of dynamic routes 

D) when the static route is administratively enabled 


Q5) With dialer watch, what causes the router to initiate dialing of the backup link? 


A) 
B) 
C) 
D) 


The monitored route is not present. 
The monitored route is in active state. 
The monitored route has a higher variance. 


There cannot be a mask on the network address. 
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Q6) What is the function of the dialer watch-list command? 
A) verifies IP addresses 
B) defines the networks to be watched 
C) sets up a list of dialer strings 


D) all of the above 
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Quiz Answer Key 


Ql) A 

Relates to: Load Sharing with OSPF and EIGRP 
Q2) B 

Relates to: Load Sharing with OSPF and EIGRP 
Q3) =D 

Relates to: Verification of Dial Backup Configuration 
Q4) A 

Relates to: Configuration of Floating Static Routes as Backup 
Q5) A 

Relates to: Dialer Watch as Backup 
Q6) B 


Relates to: Configuration of Dialer Watch 
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Module 10| 


Using QoS in Wide-Area 
Networks 


Overview 


This module explains why you may need to implement queuing technologies on your WAN 
connection. It also describes how to implement the queuing technologies available with Cisco 
IOS software so you can prioritize traffic over your WAN connection. This module also 
explains how you can use compression to optimize WAN utilization. 


Objectives 


Upon completing this module, you will be able to: 


Discuss QoS categories of service models 

Discuss the queuing options available using Cisco IOS software 

Describe where weighted fair queuing can be used and what problems it will solve 
Use Cisco IOS commands to configure weighted fair queuing 


Describe where class-based weighted fair queuing can be used and what problems it can 
solve 


Use Cisco IOS commands to configure class-based weighted fair queuing 
Describe where low latency queuing can be used and what problems it can solve 
Use Cisco IOS commands to configure low latency queuing 

Use show commands to identify queuing anomalies in an operational router 
Verify proper queuing configuration 


Implement compression in the network to optimize throughput 


Outline 


The module contains these lessons: 

m Identifying Quality of Service Models and Tools 
= Configuring Congestion Management 

= Verifying Congestion Management 


= Implementing Link Efficiency 
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Identifying Quality of Service 
Models and Tools 


Overview 


The connection between your network and the service provider network is commonly made 
with a serial point-to-point connection. This lesson describes the features and components of 
queuing to assist with traffic management during times of congestion. 


Relevance 


Before you configure queuing, it is helpful to know the general principles in the context of a 
WAN. 


Objectives 
Upon completing this lesson, you will be able to: 
m™ Define and describe the considerations for quality of service 
m Discuss QoS service models and mechanisms 
m Identify situations where traffic prioritization would be beneficial 
m™ Determine which queuing method best suits a situation 


m Specify the queuing options available using Cisco IOS software 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m= All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 
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This lesson includes these topics: 


Overview 

Quality of Service Defined 

Converged Networks: Quality Issues 

QoS Considerations 

QoS Application Requirements 

QoS Models 

QoS Mechanisms 

QoS Mechanisms and Remote Access 
Congestion Avoidance: Random Early Detection 
Congestion Avoidance: Weighted Random Early Detection 
Effective Use of Traffic Prioritization 

Queuing Overview 

Establishing a Queuing Policy 

Cisco IOS Queuing Options 

Link Efficiency Usage 


Summary 


Quiz 
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Quality of Service Defined 


This topic describes the features of quality of service (QoS). 


Quality of Service Defined 


The ability of the network to 
provide better or “special” service 


to a set of users/applications to the 
detriment of other users/applications 


Voice - Video - Data 


@. 


Consistent, Predictable 
Performance 


QoS is “the ability of the network to provide better or “special” service to selected users and/or 
applications to the detriment of other users and/or applications.” 


Cisco IOS QoS features enable network administrators to control and predictably service a 
variety of networked applications and traffic types, thus allowing network managers to take 
advantage of a new generation of media-rich and mission-critical applications. 


The goal of QoS is to provide better and more predictable network service by doing the 
following: 


m Providing dedicated bandwidth 
™ Controlling jitter and latency 
= Optimize loss characteristics 


QoS achieves these goals by providing tools for managing network congestion, shaping 
network traffic, using expensive wide-area links more efficiently, and setting traffic policies 
across the network. 


QoS offers intelligent network services that, when correctly applied, help to provide consistent, 
predictable performance. 
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Converged Networks: Quality Issues 


10-6 


This topic describes the types of problems that can occur when you are merging different traffic 
streams. 


Converged Networks: 


Quality Issues 
ee = | 


* Phone Call: “I can’t understand; your voice is breaking up.” 
* Teleconferencing: “The picture is very jerky. Voice is not 


synchronized.” Order Entry, Finance 
* Brokerage House: “I needed data two hours ago. Where is it?” Manufacturing, HR 


* Call Center: “Please hold while my screen refreshes.” Training, Other 
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A converged network is one in which voice, video, and data traffic use the same network 
facilities. Merging different traffic streams with dramatically differing requirements can lead to 
a number of problems. 


While packets carrying voice traffic are typically very small, they cannot tolerate delay and 
delay variation as they traverse the network or voice quality will suffer. Voices will break up 
and words will become incomprehensible. 


On the other hand, packets carrying file transfer data are typically large and can survive delays 
and drops. It is possible to retransmit part of a dropped file, but it is not feasible to retransmit a 
part of a conversation. 


The constant, but small packet voice flow competes with bursty data flows. Unless some 
mechanism mediates the overall flow, voice quality will severely degrade at times of network 
congestion. The critical voice traffic must get priority. 


Voice and video traffic are very time-sensitive. They cannot be delayed and they cannot be 
dropped or the resulting quality of voice and video will suffer. 


Finally, a converged network cannot fail. While a file transfer or email packets can wait until 
the network recovers, voice and video packets cannot. Even a brief network outage on a 
converged network can seriously disrupt business operations. 
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Converged Networks: 
Quality Issues (Cont.) 


* Packet loss: Some packets may have to be 
dropped when a link is congested 


° Delay: 


— End-to-end: Overall delay as packets traverse 
several devices and links 


— Jitter: Adjusting to variable delays from other 
traffic; causes additional delay 


¢ Lack of bandwidth: Multiple flows compete for 
limited bandwidth 


The three big problems facing converged enterprise networks are packet loss, delays (fixed 
delay, variable delay, and variation of delay), and lack of sufficient bandwidth capacity. 


m= Packet loss: This is usually occurs when a WAN data link is congested. Packet loss can 
also happen when routers run out of buffer space for a particular interface (output queue) or 
if the router input queue is full because the main CPU is congested and cannot process 
packets. Hardware-detected errors in a frame (bad CRC, or runt packet or giant packet) can 
also cause packet loss. 


m™ Delay: This is the time it takes for a packet to reach the receiving endpoint after being 
transmitted from the sending endpoint-- the “end-to-end delay.” It consists of two 
components: fixed network delay and variable network delay. Jitter is the delta, or 
difference, in the total end-to-end delay values of two voice packets in the voice flow. 


Two types of fixed delay are serialization and propagation delays. Serialization is the 
process of placing bits on the circuit. The higher the circuit speed, the less time it takes to 
place the bits on the circuit. Therefore, the higher the speed of the link, the less serialization 
delay. Propagation delay is the time it takes for frames to transit the physical media. 


Processing delay is a type of variable delay, and is the time required by a networking 
device to look up the route, change the header, and complete other switching tasks. In some 
cases, the packet also must be manipulated. For example, the encapsulation type or the hop 
count must be changed. Each of these steps can contribute to the processing delay. 


= Lack of bandwidth: This is insufficient physical capacity of the facility. Until recently, 
bandwidth was plentiful. But as more applications like IP telephony, videoconferencing, e- 
learning and mission critical data applications are being implemented lack of bandwidth 
(among other quality issues) must be addressed. Large graphic files or multimedia with 
voice and video cause bandwidth capacity problems over data networks. 


Calculation of bandwidth is complicated by various multiple flows and the total hops end- 
to-end. Even with an empty network, the maximum bandwidth available equals the 
bandwidth of the slowest link. 
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QoS Considerations 


This topic describes the issues that can affect QoS. 


QoS Considerations 


Multilayer Remote 
Campus Branch 


Elements of QoS: 
« Packet loss: Packet drops when congestion occurs 
« Delay: 200ms, 150ms ideal 
— Fixed: Codec, serialization, processing, WAN propagation 
— Variable (Jitter): Queuing, SP WAN, dejitter buffer, traffic shaping 
° Bandwidth: Contention induces delay (traffic shaping, queuing) 


There are several areas to be considered when evaluating your QoS. 


= Campus: On campus there is typically a large bandwidth available, thus minimizing QoS 
issues on campus. 


m= WAN edge: Often results in slow access links. If less than 2M, QoS techniques are a must 
to attain acceptable voice quality. 


m= WAN considerations: This area is often forgotten or misunderstood. Speed mismatches; 
oversubscription; and lack of control over a SP network can have impacts on QoS. 
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QoS Application Requirements 


This topic identifies the varying requirements different applications may have. 


Not All Traffic Ils Created Equal 


i Data Mission- 
Voice (Best-Effort) Critica! Data 


Low to Moderate 
Bandwidth Moderate to High 


Drop 
alsin ae log 
Delay . 

Jitter 


BCRAN v2.1—10-6 


Each of the various traffic types on modern networks may require a different type of service for 
the amount of bandwidth required. Different traffic types also vary on how sensitive they are to 
other transmission quality issues. To be successful, all traffic cannot receive the same service. 


Mission-critical data traffic requires different handling than other non-critical data traffic. First 
come first serve treatment of network traffic may not necessarily handle mission-critical traffic 
well. 


Voice and video traffic are very time-sensitive. This traffic should not be delayed or dropped, 
or the resulting voice or video fidelity will suffer. 


The figure shows how traffic types have the following characteristics: 


Different bandwidth requirements 
Sensitivity to packet drops (and the recovery of any lost packets) 
Sensitivity to end-to-end delay for receiving the packets 


Sensitivity to jitter (variation of that delay) 
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QoS Models 


This topic identifies the three QoS models. 


Three Models for Quality of Service 


° Best Effort (BE): No QoS is applied to packets 


* Integrated Services (IntServ): Applications signal 
that they need QoS to the network 


* Differentiated Services (DiffServ): The network 
recognizes classes that require special QoS 


There are three models used to design and implement QoS for a network: Best Effort, 
Integrated Services, and the Differentiated Services model. 


= Best Effort model: This model has no applied QoS tools. This model is appropriate if there 
is enough bandwidth and there is no concern as to when packets arrive or to whom. 


This model is easily scalable and requires no special mechanisms. But this model does not 
allow you to differentiate services, as there are no service guarantees. 


m= Integrated Services (IntServ) model: This model (also known as “Hard QoS”) allows 
applications to signal the network in advance to request special QoS such as delay or 
bandwidth. Once the network agrees with the conditions, the traffic cannot be impacted. 


Resource Reservation Protocol (RSVP) is commonly used to provide admission control for 
resources. This protocol includes explicit resource admission control (end to end) per 
application. This protocol lacks scalability due to the continuous signaling of the stateful 
architecture and resources used for thousands of per-flow guarantees. 


= Differentiated Services (DiffServ) model: This model (also known as “Soft QoS’’) 
addresses the limitations of both the Best Effort model and the IntServ model. This model 
provides a cost effective, “almost guarantee” on a hop-by-hop basis versus end-to-end of 
IntServ. DiffServ provides QoS by marking packets for special treatment based on groups 
known as classes. This service is addressed on a hop-by-hop basis versus IntServ’s call 
admission to guarantee resource end-to-end before packet flows are initiated. 


The DiffServ model is highly scalable with many levels of service. But this model also 
includes complex mechanisms with no absolute service guarantee. 
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QoS Mechanisms 


This topic identifies the mechanisms used to achieve QoS. 


An Overview of QoS Mechanisms 


Classification: Each class-oriented QoS mechanism has to 
support some type of classification 


Marking: Used to mark packets based on classification and/or 
metering 


Congestion Avoidance: Used to drop packets early in order to 
avoid congestion later in the network 


Congestion Management: Each interface must have a 
queuing mechanism to prioritize transmission of packets 


Policing and Shaping: Used to enforce a rate limit based on 
the metering (Example: Frame Relay traffic shaping) 


Link Efficiency: Used to improve bandwidth efficiency 
through compression (or link fragmentation and interleaving) 


From the moment an IP packet enters the network, it may get the required service needed by 
the provision of various QoS mechanisms. A packet may be classified and then usually marked 
with its class identification. From that point on, the packet may be treated by other IP QoS 
mechanisms, depending on its packet classification. The figure above and the text below outline 
the main categories of IP QoS mechanisms. 


Classification and marking mechanisms identify and split traffic into different classes. Traffic 
classes get a mark according to the traffic behavior and the intended business policies. 


With congestion avoidance various mechanisms discard specific packets based on the 
markings. These mechanisms attempt to prevent or reduce network congestion. 


Congestion management mechanisms attempt to prioritize, protect, and isolate traffic based on 
the markings. 


Policing and shaping mechanisms attempt to condition the traffic; policing drops misbehaving 
traffic to maintain network integrity; shaping controls bursts by queuing network traffic. 


Link efficiency mechanisms also provide QoS. One type of link efficiency mechanism is packet 
header compression to improve the bandwidth efficiency of a link. Another technology is Link 
Fragmentation and Interleaving (LFI) that can decrease the “jitter” of voice transmission by 
reducing voice packet delay. 
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QoS Mechanisms and Remote Access 


This topic describes the issues that must be considered when you are applying QoS 
mechanisms to remote access situations. 


Which QoS Mechanisms for 
Remote Access? 


Multilayer 
Campus 


QoS at the WAN Edge 


Service Level Agreement (SLA) with WAN service provider 
Policing, Shaping (Frame Relay Traffic Shaping—FRTS) 
Congestion Avoidance (Random Early Detection—RED) 
Congestion Management (Queuing—WFO, CBWFQ, LLQ) 
Link Efficiency (Compression, Fragmentation) 
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To provide end-to-end QoS, both the enterprise and service provider must implement the 
proper QoS mechanisms to ensure the proper traffic handling across the whole network. 


Until recently, IP QoS was not an issue in an enterprise campus network because bandwidth 
was plentiful. Recent applications such as IP telephony, videoconferencing, e-learning as well 
as traditional mission-critical data applications have changed the requirement. Now network 
administrators must address the issues of buffer management and additional bandwidth. 


In addition, IP QoS functions such as classification, scheduling, and provisioning are now 
required within the enterprise to manage bandwidth and buffers to minimize loss, delay, and 
jitter. 

This figure lists some of the requirements within the different building blocks that make up the 
end-to-end enterprise network. 


Most of the more complex QoS configurations of specific interest for remote access occur at 
the WAN edges. Some QoS tools used specifically at the WAN edge are the following: 


™ Congestion avoidance using weighted random early detection (WRED) 
= Congestion management using queuing 


m Link efficiency using compression. 
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Congestion Avoidance: Random Early Detection 


This topic describes the CBWFQ default of using tail drops as a method to avoid congestion. 


Congestion Avoidance: 
Random Early Detection (RED 


Uncontrolled Tail-drop RED-controlled 
Congestion Congestion 


» Maximize throughput 


» Accommodate burstiness 
* Minimize delay 


Offered Load 
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A router must handle how it queues network traffic to control packet access to the limited 
network bandwidth. Traffic variations such as packet bursts or flows demanding high 
bandwidth can cause congestion when packets arrive at an output port faster than they can be 
transmitted. 


The router tries to handle short-term congestion by packet buffering. This absorbs periodic 
bursts of excessive packets so they can be transmitted later. Although packet buffering has a 
cost of delay and jitter, packets are not dropped. 


For network traffic causing longer-term congestion, a router using queuing methods faces a 
need to drop some packets. A traditional strategy is tail drop. With tail drop, a router simply 
discards a packet when that packet arrives at the tail end of a queue that has completely used up 
its packet-holding resources. Tail drop is the default queuing response to congestion. Tail drop 
treats all traffic equally and does not differentiate between classes of service (CoS). 


Using tail drop, the router drops all traffic that exceeds the queue limit. Many TCP sessions 
then simultaneously go into slow start (TCP window size reduced). Consequently, traffic 
temporarily slows down to the extreme. All flows then begin to increase the window size as the 
congestion is reduced. 


This activity creates a condition called global synchronization. Global synchronization occurs 
when multiple TCP hosts reduce their transmission rates in response to packet dropping, and 
then increase their transmission rates again when the congestion is reduced. The important 
point is that the fluctuations of transmission known as global synchronization will result in 
significant underuse of a link. 
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Congestion Avoidance: Weighted Random Early 
Detection 


This topic describes WRED as an alternative to tail drops for congestion handling. 


Congestion Avoidance: 
Using WRED to Avoid Tail Drops 


For most traffic weighted RED (WRED) is preferred congestion avoidance* 


IP Precedence 
o 


- 
Differentiated Service Code 
Point (DSCP) 


Random Orop Tail Oreo 


* For voice traffic, use low latency queuing (LLQ) 
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The use of tail drops is a passive queue management mechanism. Active queue management 
mechanisms drop packets before congestion occurs. Larger-scale networks employ algorithms, 
such as RED, so they can proactively discard packets to prevent (or delay) tail drops. 


RED directs one TCP session at a time to slow down, allowing for fuller use of the bandwidth, 
and it can thereby prevent the traffic crests and troughs from global TCP synchronization. 


WRED extends RED functions by permitting more granular RED drop profiles for different 
types of traffic. WRED combines RED with IP precedence values or with differentiated 
services code point (DSCP) values. Before tail drops are required, the router can drop packets 
based on these IP precedence or DSCP markings. 


The figure shows how WRED is implemented, and what parameters influence WRED drop 
decisions. The WRED algorithm is constantly updated with the calculated average queue size, 
which is based on the recent history of queue sizes. 


The configured WRED profiles define the drop thresholds. When a packet arrives at the output 
queue, the IP precedence of DSCP value is used to select the correct WRED profile for the 
packet, and the packet is passed to WRED to perform either a drop or enqueue decision. 


Based on the profile and the average queue size, WRED calculates the probability for dropping 
the current packet and either drops it or passes it to the output queue. If the queue is already 
full, the packet is tail-dropped. Otherwise, it is eventually transmitted out on the interface. 


WRED monitors the average queue depth in the router and determines when to begin packet 
drops based on the queue depth. When the average queue depth crosses the user-specified 
minimum threshold, WRED begins to drop packets (both TCP and User Data Protocol [UDP]). 
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If the average queue depth ever crosses the user-specified maximum threshold, then WRED 
reverts to tail drop, where all incoming packets might be dropped. The idea behind using 
WRED is to maintain the queue depth at a level somewhere between the minimum and 
maximum thresholds, and to implement different drop policies for different classes of traffic. 


WRED is only useful when the bulk of the traffic is TCP traffic. With TCP, dropped packets 
indicate congestion, so the packet source reduces its transmission rate. With other protocols, 

packet sources might not respond or might resend dropped packets at the same rate; therefore 
dropping packets does not decrease congestion. 


WRED can be used wherever there is a potential bottleneck (a congested link) at an access or 
edge link of the network. It is normally used in the core routers of a network rather than at the 
edge of the network. Edge routers assign IP precedence to packets as they enter the network. 
WRED uses these IP precedences to determine how to treat different types of traffic. 
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Effective Use of Traffic Prioritization 


This topic identifies the effective use of traffic prioritization techniques. 


Congestion Management: 
Low-speed Prioritization 


Voice 


Video Cos so 
File Transfer THEI 


° Prioritization is most effective on bursty WAN links 
(T1/E1 or below) that experience temporary 
congestion 
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The figure shows a converged network in which voice, video, and data file transfers use the 
same low-speed T1/E1 facilities. Merging these different traffic streams with their respective 
differing requirements can lead to performance problems. Different types of traffic that share a 
data path through the network can result in temporary congestion on these data links. 


Prioritization may be necessary at the WAN edge congestion points. Prioritization is most 
effective on WAN links where the combination of bursty traffic and relatively lower data rates 
can cause temporary congestion. Depending on the average packet size, prioritization is most 
effective when applied to links at T1/E1 bandwidth speeds or lower. 


If there is no congestion on the WAN link, traffic prioritization is not necessary. However, if a 
WAN link is constantly congested, traffic prioritization may not resolve the problem. Adding 
bandwidth might be the appropriate solution. 
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Queuing Overview 


This topic describes various queuing options that you can implement. 


Congestion Management: 
Queuing 


° Prioritizes traffic through router. 

* Cisco IOS software offers: 
—Weighted fair queuing 
—Class-based weighted fair queuing 
—Low latency queuing 
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A protocol-dependent switching process handles traffic arriving at a router interface. The 
switching process includes delivery of traffic to an outgoing interface buffer. 


FIFO queuing is the classic algorithm for packet transmission. With FIFO, transmission occurs 
in the same order as messages are received. Until recently, FIFO queuing was the default for all 
router interfaces. If users require traffic to be ordered differently, they must establish a queuing 
policy other than FIFO queuing. 


In addition to FIFO, Cisco IOS software offers other alternative queuing options: 


= Weighted fair queuing (WFQ): Prioritizes interactive traffic over file transfers to ensure 
satisfactory response time for common user applications. WFQ can prioritize traffic based 
on flows (flow-based WFQ) or user-defined classes (class-based WFQ [CBWFQ)]). 


m Class-based weighted fair queuing (CBWFQ) (Cisco IOS Release 12.2) 
™ Low latency queuing (LLQ) (Cisco IOS Release 12.2) 
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Establishing a Queuing Policy 


This topic describes the considerations for establishing a queuing policy. 


Congestion Management: 
Establishing a Queuing Policy 


Bottleneck 


* Determines which packets get through first 


* Helps provide acceptable service levels and 
control WAN costs 
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A queuing policy helps network managers meet two challenges: providing an appropriate level 
of service for all users and controlling expensive WAN costs. 


Typically, the corporate goal is to deploy and maintain a single enterprise network that supports 
a variety of applications, organizations, technologies, and user expectations. Consequently, 
network managers are concerned with providing all users with an appropriate level of service 
while continuing to support mission-critical applications and planning for integration of new 
technologies. 


Because the major cost of running a network is also related to WAN circuit charges, network 
managers balance the capacity and cost of these WAN circuits with an acceptable level of 
service for their users. 


To meet these challenges, queuing allows network managers to prioritize, reserve, and manage 
network resources, and to ensure the seamless integration and migration of disparate 
technologies without unnecessary costs. 


In the above example, three types of traffic are vying for access to the WAN, because of limited 
bandwidth. These three types of traffic are as follows: 


= RTP (Real-Time Transport Protocol): RTP is used to carry multimedia application 
traffic, including packetized audio and video, over an IP network. 


m SSH (Secure Shell Protocol): SSH is a secure application used for logging into a remote 
device, executing commands on a remote device, and moving files from remote device to 
remote device. 


m= FTP: FTP is a standard protocol in the TCP/IP suite of protocols used to transfer files from 
one device to another. 
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The network administrator needs to determine the priority of each of these traffic types based 
on the network policy. The administrator then needs to apply the appropriate queuing technique 
to ensure that each type of traffic is treated according to the policy. 


It is likely the administrator prioritizes the RTP traffic first. Due to the delay-sensitive nature of 
voice and video traffic, the SSH traffic is prioritized second. The FTP traffic is third. 


The queuing mechanism used to do this is dependent on the relative importance of each type of 
traffic, the volume of traffic, and available bandwidth. 
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Cisco IOS Queuing Options 


This topic describes the steps necessary to correctly choose a Cisco IOS queuing option. 


Choosing a Cisco lOS ueulng buon 


congested? 


y P 


WAN Strict 
control 


* Delay-sensitive applications may require higher 
priority than others. 
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Complete these steps when you are choosing a Cisco IOS queuing option: 


Step 1 


Step 2 


Step 3 


Step 4 


Determine whether the WAN is congested. 


If traffic does not back up, there is no need to prioritize it. The traffic is serviced as 
it arrives. However, if the load exceeds the transmission capacity for periods of time, 
you may want to prioritize the traffic with one of the Cisco IOS queuing options. 


Decide whether strict control over traffic prioritization is necessary and whether 
automatic configuration is acceptable. 


Proper queuing configuration is a nontrivial task. The network manager must study 
the traffic types traversing the interface, determine how to classify them, and decide 
on their relative priority. The manager must install the filters and test their effect on 
the traffic. Traffic patterns change over time, so the analysis must be repeated 
periodically. 


Establish a queuing policy. 


A queuing policy results from the analysis of traffic patterns and the determination 
of relative traffic priorities discussed in Step 2. 


Determine whether any of the traffic types identified in your traffic pattern analysis 
can tolerate a delay. Typically, voice and video have the lowest tolerance for delay. 
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The table illustrates the typical queuing options a network administrator would choose from 
when determining how to best implement a queuing policy. 


Queuing Options 


Queuing Type 


FIFO 


Description 


FIFO queuing is simply sending packets out of an interface in the order in which 
they arrived. 


PQ 


Priority queuing (PQ) defines four priorities of traffic—high, normal, medium, and 
low—on a given interface. As traffic comes into the router, it is assigned to one of 
the four output queues. Packets on the highest-priority queue are transmitted first; 
packets on the next highest-priority queue are transmitted second; and so on. 


CQ 


Custom queuing (CQ) reserves a percentage of bandwidth for specified protocols. 
Up to 16 output queues can be configured for normal data and an additional 
queue can be created for system messages such as LAN keepalives. Each queue 
is serviced sequentially, by transmitting a configurable percentage of traffic and 
then moving on to the next queue. 


WFQ 


WFQ provides traffic management that dynamically prioritizes traffic into 
conversations, or flows, based on Layer 3 or 4 information. It then breaks up a 
stream of packets within each conversation to ensure that bandwidth is shared 
equally between individual conversations. 


CBWFQ 


CBWFQ defines traffic classes, typically using access control lists (ACLs), and 
then applies parameters, such as bandwidth and queue-limits, to these classes. 
The bandwidth assigned to a class is used to calculate the "weight" of that class. 
The weight of each packet that matches the class criteria is also calculated. WFQ 
is then applied to the classes, which can include several flows, rather than to the 
flows themselves. 


LLQ 


LLQ provides strict PQ for CBWFQ, reducing jitter in voice conversations. Strict 
PQ gives delay-sensitive data, such as voice, preferential treatment over other 
traffic. With this feature, delay-sensitive data is sent first, before packets in other 
queues are treated. Low latency queuing is also called PQ/CBWFQ because it is a 
combination of the two techniques. 
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Link Efficiency Usage 


This topic identifies two link efficiency mechanisms. 


Link Efficiency 
Usage and Tool Categories 


° Use link efficiency: 
— For low speed links (768kbps or less) 


—When mixing large data MTU with smaller real 
time packets 


* Two categories of tools for link efficiency: 
—Fragmentation/interleaving 


— Compression (Header compression or data 
compression) 
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Link-efficiency mechanisms work best on low speed data links that have large MTU data 
packets as well as interactive traffic such as Telnet and Voice over IP (VoIP). 


Cisco IOS QoS software offers two link efficiency mechanisms that work in conjunction with 
queuing and traffic shaping to manage existing bandwidth more efficiently and predictably: 


= Link Fragmentation and Interleaving (LFI): The network fragments data packets and 
interleaves voice packets to improve the link efficiency. 


= Compressed Real-Time Protocol (CRTP): The network protocol improves link 
efficiency as it compresses headers to reduce the overhead of converged traffic. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
eee GISCOCOM 


* Quality of Service is “the ability of the network to 
provide better or ‘special’ service to selected users 
and/or applications to the detriment of other users 
and/or applications.” 


* A converged network is one in which voice, video, 
and data traffic use the same network facilities. 

° The three quality of service models are Best Effort, 
IntServ and DiffServ. 


* For QoS at the WAN Edge, consider WRED, 
congestion management and link efficiency 
mechanisms. 


Summary (Cont.) 


* To provide end-to-end QoS, the enterprise and 
service providers must implement the proper QoS 
mechanisms. 


¢ Active queuing management mechanisms drop 
packets before congestion occurs. 

° First-in-first-out (FIFO) queuing is the classic 
algorithm for packet transmission. 


* The queuing options preferred for remote access 
are WFQ, CBWFQ and LLQ. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


Q6) 


Which of the following is true of voice traffic? 


A) can tolerate delays 
B) is time-sensitive 
C) can wait until a network recovers 


D) is typically very large 


Video has what kind of bandwidth requirement? 


A) average 

B) moderate to high 
C) moderate to low 
D) low 


Which quality of service model allows applications to signal the network in advance to 
request special QoS? 

A) Best Effort 

B) Integrated Services 

C) Differentiated Services 


Which QoS mechanism drops packets early in order to prevent congestion later in the 
network? 


A) classification 

B) marking 

C) congestion avoidance 
D) congestion management 


What is it called when multiple TCP hosts reduce their transmission rates in response 
to packet dropping, and then increase their transmission rates again when congestion is 
reduced? 

A) global synchronization 

B) global packeting 

C) packet buffering 

D) load balancing 


Prioritization may be necessary in which location? 
A) campus 

B) end-to-end points 

C) WAN edge congestion points 
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Q7) — Which queuing option is NOT an alternative to FIFO queuing on Cisco routers? 
A) weighted fair queuing 
B) class-based weighted fair queuing 
C) traffic-rate queuing 
D) custom queuing 


Q8) Depending on the average packet size, prioritization is most effective when applied to 
links at : 
A) ISDN BRI bandwidth speeds or higher 
B) TI/E1 bandwidth speeds or lower 
C) 56 kbps bandwidth speeds or lower 
D) OC-3 bandwidth speeds or higher 


Q9) Which factors must a network manager consider when establishing a queuing policy? 


A) providing an appropriate level of service for all users 
B) controlling expensive WAN costs 

C) A and B 

D) none of the above 


Q10) Which queuing method would work best on congested WAN links where delay is a 


concern? 

A) WFQ 

B) CQ 

C) LLQ 

D) CBWFQ 
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Quiz Answer Key 


Ql) B 

Relates to: Converged Networks: Quality Issues 
Q2) B 

Relates to: QoS Application Requirements 
Q3) B 

Relates to: QoS Models 
Q4) Cc 

Relates to: QoS Mechanisms 
Q5) A 

Relates to: Congestion Avoidance: Random Early Detection 
Q6) Cc 

Relates to: Effective Use of Traffic Prioritization 
Q7) Cc 

Relates to: Queuing Overview 
Q8) B 

Relates to: Effective Use of Traffic Prioritization 
Q9) Cc 

Relates to: Establishing a Queuing Policy 
Q10) Cc 


Relates to: Cisco IOS Queuing Options 
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Configuring Congestion 
Management 


Overview 


This lesson describes class-based weighted fair queuing (CBWFQ) operation as compared to 
flow-based weighted fair queuing (WFQ). It also describes the congestion handling technique 
of tail drops and how these can cause the problem of global synchronization. The lesson 
finishes with the CBWFQ option of using weighted random early detection (WRED) to actively 
manage queuing and congestion avoidance. 


Relevance 


Managing network performance is crucial in the bandwidth-demanding applications of today. 
CBWFQ is one popular method of managing bandwidth over a WAN. A basic introduction to 
queuing using techniques that minimize or eliminate tail drops can enable a better 
understanding of QoS alternatives. 


Objectives 


Upon completing this lesson, you will be able to: 


Describe a situation where WFQ would be appropriate 
Configure WFQ using Cisco IOS commands 

Describe the operations concept of CBWFQ 

List the benefits of CBWFQ over WFQ 


Describe the configuration that is required to define traffic classes and to specify 
classification policy 


Configure policies to be applied to packets belonging to one of the classes previously 
defined through a class map 


Configure CBWFQ with WRED 
Configure a CBWFQ default class 


Configure low latency queuing with the use of the priority command for a policy-map 
class 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 


course 


m All knowledge presented in the /nterconnecting Cisco Network Devices (ICND) course 


Outline 


This lesson includes these topics: 


Overview 

WFQ Operation 

Configuring WFQ 

WFQ Example 

CBWFQ Operation 

CBWFQ vs. Flow-Based WFQ 

Step 1: Configuring CBWFQ 

Step 2a: Configuring CBWFQ with Tail Drop 
Step 2b: Configuring CBWFQ with WRED 
Step 2c: Configuring CBWFQ Default Class (Optional) 
Step 3: Configuring CBWFQ 

CBWFQ Example 

LLQ Operation 

Configuring LLQ 

Summary 


Quiz 
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WFQ Operation 


This topic describes an overview of weighted fair queuing (WFQ) and its importance during 
times of WAN congestion. 


WFQ Operation 


FIFO Queuing 
High-volume Traffic 


High-volume Traffic 


Low-volume Traffic Low-vokime Traffic 
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When FIFO queuing is in effect, traffic is transmitted in the order received without regard for 
bandwidth consumption or the associated delays. File transfers and other high-volume network 
applications often generate a series of packets of associated data known as packet trains. Packet 
trains are groups of packets that tend to move together through the network. These packet trains 
can consume all available bandwidth and other traffic flows can back up behind them. 
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WFQ Operation (Cont.) 


Packets in order of arrival 


WEQ overcomes an important limitation of FIFO queuing. It is an automated method that 
provides fair bandwidth allocation to all network traffic. It provides traffic management that 
dynamically prioritizes traffic into conversations, or flows. WFQ then breaks up a stream of 
packets within each conversation to ensure that bandwidth is shared fairly between individual 
conversations. There are four types of WFQ: flow-based, distributed, class-based, and 
distributed class-based. 


WFQ is a flow-based algorithm that moves delay-sensitive traffic to the front of a queue to 
reduce response time, and shares remaining bandwidth fairly among high-bandwidth flows. By 
breaking up packet trains, WFQ assures that low-volume traffic is transferred in a timely 
fashion. WFQ gives low-volume traffic, such as Telnet sessions, priority over high-volume 
traffic, such as FTP sessions. It gives concurrent file transfers a balanced use of available 
bandwidth. WFQ automatically adapts to changing network traffic conditions. 


WFQ is enabled by default for physical interfaces whose bandwidth is less than or equal to 
2.048 Mbps. 
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WFQ Operation (Cont.) 


Packets Fair Queued 


* Flows are assigned a channel. 


° Sorts the queue by order of the last bit crossing its 
channel. 
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The WFQ algorithm arranges traffic into conversations, or flows. The sorting of traffic into 
flows is based on packet header addressing. Common conversation discriminators are as 
follows: 


Source or destination network address 

Source or destination MAC address 

Source or destination port or socket numbers 

Frame Relay data-link connection identifier (DLCI) value 
Quality of service (QoS) or type of service (ToS) value 
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In the figure, the WFQ algorithm has identified three flows. 


WFQ Operation (Cont.) 


Fair Queuing Order 


¢ Messages are transmitted in a fair order. 
° High-volume conversations share the link. 


The flow-based WFQ algorithm places packets of the various conversations in the fair queue 
before transmission. The order of removal from the fair queue is determined by the virtual 
delivery time of the last bit of each arriving packet. 


WFQ assigns a weight to each flow, which determines the transmit order for queued packets. In 
this scheme, lower weights are served first. Small, low-volume packets are given priority over 
large, high-volume conversation packets. 


After low-volume conversations have been serviced, high-volume conversations share the 
remaining link capacity and interleave or alternate transmission timeslots. In this figure, high- 
volume conversation packets are queued in order of arrival after the low-volume packet. 


The queuing algorithm ensures the proper amount of bandwidth for each datagram. With flow- 
based WFQ, two equal-size file transfers get equal bandwidth, rather than the first file transfer 
using most of the bandwidth. Although the flow-based WFQ algorithm allocates a separate 
queue for each conversation, each queue can belong to one of only seven priority 
classifications, based on the IP precedence. 


In the example, packet 3 is queued before packets 1 or 2 because packet 3 is a small packet in a 
low-volume conversation. 


The result of the queuing order and the transmission order is that short messages that do not 
require much bandwidth are given priority and transmitted on the link first. For example, 
packet 3 before packets 1 and 2. 
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Configuring WFQ 


This topic describes how to configure WFQ on an interface. 


Configuring WFQ 


Router (config-if)#fair-queue {congestive-discard- threshold} 


¢ Enables WFQ 
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The fair-queue command enables WFQ on an interface. 
fair-queue Command 


Command Description 


congestive-discard- 
threshold 


The number of messages creating a congestion threshold after 
which messages for high-volume traffic will no longer be queued. 
It is the maximum number of packets in a conversation held in a 
queue before they are discarded. Valid values are 1 to 512, 
inclusive. The default is 64 messages. The fair-queue 128 
command sets the congestive-discard-threshold to 128. 


congestive-discard-threshold is an optional command. It is not 
required, as indicated by the braces {} in the figure. 


The congestive discard policy applies only to high-volume conversations that have more than 
one message in the queue. The discard policy tries to control conversations that would 
monopolize the link. If an individual conversation queue contains more messages than the 
congestive discard threshold, that conversation will not have any new messages queued until 
the content of that queue drops below one-fourth of the congestive discard value. 


Note WFQ is used by default on serial interfaces at E1 speeds (2.048 Mbps) and below. WFQ is 
disabled on serial interfaces using X.25 or compressed PPP. LAN interfaces and serial lines 
operating at E3 or T3 speeds do not support WFQ. 


Copyright © 2004, Cisco Systems, Inc. Using QoS in Wide-Area Networks 10-33 


WFQ Example 


This topic describes WFQ being used on a Frame Relay network to enable interactive traffic to 
flow during times of congestion. 


WFQ Example 


Router (config) #interface Serial 1 
Router (config-if) #encapsulation frame-relay 


Router (config-if) #fair-queue 128 
Router (config-if) #bandwidth 56 


Appears in output 
only if congestive 
discard threshold 

is modified. 


BCRAN v2.1—10-7 


In the figure, interface Serial | is attached to a Frame Relay network and is configured to 
operate at a 56-kbps link speed. The fair-queue 128 command sets the congestive discard 
threshold to 128. 


Because conversations may not have any new messages queued until the queue content drops 
below one-fourth of the congestive discard value, a queue must contain fewer than 32 entries 
(one-quarter of 128). 
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CBWFQ Operation 


This topic describes class-based weighted fair queuing (CBWFQ). 


CBWFQ 


Traffic is 
grouped into 
user-defined 
classes. 


The WFQ algorithm is applied to classes 
rather than the flows themselves. 
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CBWFQ extends the standard WFQ functionality to provide support for user-defined traffic 
classes. By using CBWFQ, network managers can define traffic classes based on several match 
criteria, including protocols, ACLs, and input interfaces. A FIFO queue is reserved for each 
class, and traffic belonging to a class is directed to the queue for that class. More than one flow, 
or conversation, can belong to a class. 


After a class has been defined according to its match criteria, you can assign its characteristics. 
To characterize a class, you assign it bandwidth and maximum packet limit. The bandwidth 
assigned to a class is the guaranteed bandwidth given to the class during congestion. 


CBWFQ assigns a weight to each configured class instead of each flow. This weight is 
proportional to the bandwidth that is configured for each class (weight = interface bandwidth 
divided by the class bandwidth). Therefore, the larger the bandwidth value of a class, the 
smaller its weight. 


By default, the total amount of bandwidth allocated for all classes must not exceed 75 percent 
of the available bandwidth on the interface. The other 25 percent is used for control and routing 
of traffic. However, the maximum-reserved bandwidth can be configured to circumvent this 
limitation. 


You must also specify the queue limit for the class, which is the maximum number of packets 
allowed to accumulate in the queue for the class. Packets belonging to a class are subject to the 
bandwidth and queue limits that are configured for the class. 
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CBWFQ vs. Flow-Based WFQ 


This topic describes the benefits of CBWFQ over WFQ. 


CBWFQ vs. Flow-Based WFQ 
— il OC 


* CBWFQ provides for up to 64 classes; flow-based 
WFQ is limited to 7 classifications, or weights. 


* CBWFQ allows for coarser granularity. Multiple IP 
flows can belong to a single class. 


CBWFQ offers these benefits over flow-based WFQ: 


= Bandwidth allocation: CBWFQ allows you to specify the exact amount of bandwidth to 
be allocated for a specific class of traffic. You can configure up to 64 classes and control 
distribution among them. 


Note This is not the case with flow-based WFQ. Flow-based WFQ applies weights to traffic and 
classifies traffic into conversations, thus controlling how much bandwidth each conversation 
is allocated relative to other conversations. For flow-based WFQ, these weights and traffic 
classifications are limited to the seven IP precedence levels. 


= Finer granularity and scalability: CBWFQ allows you to define classification based on 
more criteria. It allows you to use ACLs, protocols, and input interface names to define 
how traffic will be classified, thereby providing finer granularity. You can configure up to 
64 discrete classes in a service policy. 
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Step 1: Configuring CBWFQ 


This topic describes the configuration required to define traffic classes and to specify 


classification policy. 


These are the steps involved in the CBWFQ configuration process: 


Step 1 


Step 2 


Step 3 


Step 1: Configuring CBWFQ 


Router(config)+claze-Mmap Cisas-map-nane 


Router(config-cmap) #match accees-group [accese- 
group | name access-group-nane} 
or 
Router (config-cmap) #match input-interfece 


interface-name 
or 


Router (config-cmap) #match protocol protocol 
or 


Router (config-amap) #match ip precedence toa 


¢ Use only one match command with each 


class-map. 


Define traffic classes to specify the classification policy (class maps). 


Associate policies, or class characteristics, with each traffic class (policy map). 


A: CBWEFQ with tail drop 
or 

B: CBWFQ with WRED 
C: Optional: Default Class 


Attaching policies to interfaces (service policies). 


This process determines how many types of packets are to be differentiated from one another. 


To create a class map, use the class-map command to specify the name of the class map and 


enter class map configuration mode. You can use only one match command for each class 


map. 
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match Command 


Command Description 
access-group {access- 
group | name access- 
group name} 


Specifies the name of the ACL against whose contents packets 
are checked to determine if they belong to the class. CBWFQ 
supports numbered and named ACLs. 


Specifies the name of the input interface used as a match 
criterion against which packets are checked to determine if they 
belong to the class. 

Specifies the name of the protocol used as a match criterion 
against which packets are checked to determine if they belong to 
the class. 

Specifies the IP precedence ToS level used as a match criterion 
against which packets are checked to determine if they belong in 
this class. 


input -interface 
interface name 


protocol protocol 


ip precedence tos 


10-38 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright # 2004, Cisco Systems, Inc. 


Step 2a: Configuring CBWFQ with Tail Drop 


This topic describes configuration of policies built from previously defined classes. This 
CBWEQ is configured with tail drop rather than WRED. You can implement either one of 
these options, 2a or 2b, but not both. 


Step 2a: Configuring CBWFQ with Tail ate 


Router (config)#policy-map policy-map-name 


Router (config-pmap)#class class-name 
Router (config-pmap-c)#bandwidth bandwidth-kbps 
Router (config-pmap-c)#queue-limit number-of-packets 


* Use the queue-limit command when configuring 
CBWFQ with tail drop. 
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This process entails configuration of policies to be applied to packets belonging to one of the 
classes previously defined through a class map. For this process, you must configure a policy 
map that specifies the policy for each traffic class. 


Use the policy-map command to specify the policy map name and enter the policy map 
configuration mode. Then, use one or more of the following commands to configure policy for 
a standard class or the default class: 


m™ class 
= bandwidth 
m™ fair-queue (for class-default class only) 


@ queue-limit or random-detect 
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Step 2b: Configuring CBWFQ with WRED 


This topic describes configuration of CBWFQ with WRED rather than tail drop. Remember, 
you can choose this step or the prior one (2a), but not both. 


Step 2b: Configuring CBWFQ with WRED 


Reuter (conftic)#policy-map pelicy-Mmap-nane 


Router (contig-pmap) #coleass clase-nam 

or 
Router (conZic-pmap-c)#bandwidth bandwidth-kbps 
Router (config-pmap-c)#random-detect 


Router (contig-pmap-c)+random-detect 


exponential-weighting-constant exponent 
and/or 
Router (contic-pmap-c) #random-detect 
precedence precedence min-threshoild max-threshold 


Mark -prob-denominator 


° Use the random-detect command when configuring 
CBWFQ with WRED. 
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Note If you configure a class in a policy map to use WRED for packet drop instead of tail drop, 
you must ensure that WRED is not configured on the interface to which you intend to attach 
that service policy. 


class Command 


Command Description 


Specifies the name of a class to be created and included in the 
service policy 


class-name 


Specifies the default class so that you can configure or modify 
its policy 


class-default 


bandwidth Command 


Command Description 


bandwidth-kbps Specifies the amount of bandwidth in kbps (or as a percentage 
of the link) to be assigned to the class. The amount of 
bandwidth configured should be large enough to also 
accommodate Layer 2 overhead. 
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queue-limit Command 


Command 


number-of-packets 


random-detect Command 


Command 


Random-detect 


Description 
Specifies the maximum number of packets that can be queued 


for the class. If this is not specified, the default queue limit is 64 
packets. 


Description 


Enables WRED. The class policy will drop packets using WRED 
instead of tail drop. 


exponential-weighting- 
constant exponent 


Configures the exponential weight factor that is used in 
calculating the average queue length. 


precedence precedence 
min-threshold max- 
threshold mark-prob- 
denominator 


Configures WRED parameters for packets with a specific IP 
precedence. Repeat this command for each precedence. 


You can configure policy for more than one class in the same policy map. 
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Step 2c: Configuring CBWFQ Default Class 
(Optional) 


This topic describes configuration of a CBWFQ default class. You can use default class with 
either tail drop (2a) or WRED (2b). 


Step 2c: Configuring CBWFQ Default Class 
(Optional) 


Router (ceonfig)#policy-map policy-map-nama 
Router(contig-pmap)#class class-default default-class-name 


ar 


Router (config-pmap-c)#bandwidth bandwidth-kbps 
or 


Router(config-pmap-c)#fair-queue [number-of-dynamic queues] 


* Configure the default class for tail drop using the 
queue-limit command. 


* Configure the default class for WRED using the 
random-detect command. 
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Optionally, you can modify the policy for IP flows that do not match any of the match criteria 
of the classes. The class class-default command is used to classify traffic that does not fall into 
one of the defined classes. The class-default class is predefined when you create the policy 
map. By default, the class-default class is defined as flow-based WFQ. 


Configuring the default class with the bandwidth policy-map class configuration command 
disqualifies the default class for flow-based WFQ. If a default class is configured with the 
bandwidth policy-map class configuration command, all unclassified traffic is put into a single 
FIFO queue and treated according to the configured bandwidth. If a default class is configured 
with the fair-queue command (or if no default class is configured), all unclassified traffic is 
flow-classified and given best-effort treatment. 


fair-queue Command 


Command Description 

In policy-map class configuration mode, this command 
specifies the number of dynamic queues to be reserved for use 
by flow-based WFQ running on the default class. The number 
of dynamic queues is derived from the bandwidth of the 
interface. 


[number-of-dynamic- 
queues] 
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Step 3: Configuring CBWFQ 


This topic describes the configuration for attaching policies to interfaces. 


Step 3: Configuring CBWFQ 


Router (config-if)#service-policy output policy-map 


° Use the service-policy output command to attach the 
service policy to an interface and enable CBWFQ. 


Router (config) #interface 20 


Router (config-if) #service-policy output MYMAP 
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This process requires that you apply an existing policy map, or service policy, with an interface 
to associate the particular set of policies for the map to that interface. 


Use the service-policy output command in interface configuration mode to attach the policy to 
an interface. 


service-policy output Command 


Command Description 


Enables CBWFQ and attaches the specified service policy 
map to the output interface 


output policy-map 
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CBWFQ Example 


This topic describes a CBWFQ configuration example. 


CBWFQ Example 
i656) 


Router (contig) #access-list 101 permit udp host 
10.10.10.10 host 109,19,10,20 ranse 16382 20000 


Router (config) #access-list 102 permit udp host 
10.10.10.10 host 10.19.10.20 range 53000 56000 


Router (contig) #elass-map olasel 


Router (cconfig-cmap) #match access-group 1fl 
Router (config-cmap) #taxit 


Router (config) #elass-map clase2 
Router (config-cmap) #mateh access-qreup 102 


Router (config-cmap) #exit 


« Class‘ uses access-list 101 to match a UDP port range for voice 
* Class2 uses access-list 102 to match a UDP port range for video 
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In the configuration example shown in the figure, class] is defined by referencing access-list 
101 with the match access-group 101 command. Class! will therefore match UDP traffic from 
host 10.10.10.10 to host 10.10.10.20 on ports 16382 to 20000. 


Class2 is defined by referencing access-list 102 with the match access-group 102 command. 
Class2 will therefore match UDP traffic from host 10.10.10.10 to host 10.10.10.20 on ports 
53000 to 56000. 
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CBWFQ Example (Cont.) 


Router fcontigittpclicy-map policyl 
Router (conlLig-pmap)#clage clagel 


Router (config-pmap-c) #>andwicth 3000 
Router (config-pmap-c) #cueue-limit 30 


Router {config-pmap-c) #exit 


Router {(contiq-pmap) #clase clacss2 
Router (oonfiq-pmap-e) Fhbandwidth 2000 


Router (config-pmap-c) #exit 


* Class2 does not specify a queue limit, so the 
default of 64 packets is assumed. 


¢ Tail drop will be used for both classes 
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The policy-map command creates a policy map. The configuration example in the figure 
shows that the policy map, policy1, includes two class maps: 


m™ Class1: Configured with a bandwidth of 3000 kbps and a queue limit of 30 packets. 


m Class2: Configured with a bandwidth of 2000 kbps. Because the queue limit is not 
specified, the default of 64 packets applies. 


Since neither class is configured with the random-detect command, Cisco IOS software will 
tail drop packets if their destination queue is full. Use the random-detect command to 
configure WRED. 
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LLQ Operation 


This topic describes the concept of low latency queuing (LLQ). 


LLQ 


Priority Class 


Class 1 


Class 2 
Class 3 


Class-Default 


¢ LLQ provides for strict priority queuing of voice 
traffic (V). 
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The LLQ feature provides strict priority queuing (PQ) for CBWFQ, reducing jitter in voice 
conversations. Configured by the priority command, strict PQ gives delay-sensitive data— 
such as voice—preferential treatment over other traffic. With this feature, delay-sensitive data 
is sent first, before packets in other queues are treated. LLQ is also called PQ/CBWFQ, because 
it is a combination of the two techniques. 


For CBWFQ, the weight for a packet belonging to a specific class is derived from the 
bandwidth that you assigned to the class when you configured it. Therefore, the bandwidth 
assigned to the packets of a class determines the order in which the packets are sent. All 
packets are serviced fairly based on weight; no class of packets may be granted strict priority. 
This scheme poses problems for voice and video traffic that is largely intolerant of delay, 
especially variation in delay. For voice traffic, variations in delay introduce irregularities of 
transmission, which cause jitter. 


To apply a class of traffic to the strict priority queue, you configure the priority command for 
that class of traffic. That class of traffic and others then belong to a policy map. Within a policy 
map, you can give one or more classes priority status. When multiple classes within a single 
policy map are configured as priority classes, all traffic from these classes are applied to the 
same, single, strict priority queue. The multiple classes will contend with each other for 
bandwidth. 


Although it is possible to apply various types of real-time traffic to the strict priority queue, 
Cisco recommends that you direct only voice traffic to it. This is because voice traffic is well 
behaved, whereas other types of real-time traffic are not. Moreover, voice traffic requires that 
delay be nonvariable in order to avoid jitter. Real-time traffic such as video could introduce 
variation in delay, thereby thwarting the steadiness of delay required for successful voice traffic 
transmission. 
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Configuring LLQ 


This topic describes the configuration of LLQ. 


Configuring LLQ 


Router (config)#policy-map policy~-map-name 


Router (config-pmap)#class class-name 
or 


Router {config-pmap-c)#priority bandwidth-kbps 


¢ The bandwidth, queue-limit, or random-detect 
commands cannot be used when configuring a 
class for LLQ. 
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When you specify the priority command for a class, it takes a bandwidth argument that gives 
maximum bandwidth in kilobits per second (kbps). You use this parameter to specify the 
maximum amount of bandwidth that is allocated for packets belonging to the class. The 
bandwidth parameter both guarantees bandwidth to the priority class and restrains the flow of 
packets from the priority class. 


In the event of congestion when the bandwidth is exceeded, policing is used to drop packets. 
Voice traffic queued to the priority queue is UDP-based and therefore not adaptive to the early 
packet drop characteristic of WRED. Because WRED is ineffective, you cannot use the WRED 
random-detect command with the priority command. In addition, because policing is used to 
drop packets and a queue limit is not imposed, the queue-limit command cannot be used with 
the priority command. The following table explains the priority command. 


priority Command 


Command Description 


bandwidth-kbps Specifies the amount of bandwidth in kbps to be assigned to the 
class for PQ. The amount of bandwidth configured should be large 


enough to also accommodate Layer 2 overhead. 
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When congestion occurs, traffic destined for the priority queue is metered to ensure that the 
bandwidth allocation configured for the class to which the traffic belongs is not exceeded. 
Priority traffic metering has these qualities: 


m™ Itis much like the rate-limiting feature of committed access rate (CAR), except that priority 
traffic metering is only performed under congestion conditions. Whether or not the device 
is congested, the priority-class traffic is not allowed to exceed its allocated bandwidth. 
When the device is congested, the priority-class traffic above the allocated bandwidth is 
discarded. 


m™ Itis performed on a per-packet basis, and tokens are replenished as packets are sent. If 
there are not enough tokens available to send the packet, it is dropped. 


m= It restrains priority traffic to its allocated bandwidth to ensure that standard traffic, such as 
routing packets and other data, is not starved. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 


G85. 575 | 
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WFQ prioritizes traffic into conversations or flows. 
For interfaces having 2.048 Mbps or less, WFQ is the default. 


Use the fair-queue command to modify flows or to setup WFQ 
on other interfaces. 


Use the class-map CBWFQ command to specify the class 


map name. 
Use the policy-map CBWFQ command to specify the policy 
map name and configure WRED or tail drop along with 
optional default class. 

Use the service-policy output CBWFQ command in interface 
configuration mode to attach the policy to an interface. 
The LLQ feature provides strict priority queuing 

for CBWFQ. 
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Using QoS in Wide-Area Networks 


10-49 


Quiz 
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Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


Q6) 


Packet trains are most closely associated with what type of network application? 


A) SNA 
B) DNS 
C) Telnet 
D) FTP 


The WFQ algorithm cannot discriminate between traffic flows based on 


A) RTP 


B) source or destination port 
C) source or destination MAC 
D) ToS 


With WFQ, small, low-volume packets are given priority over large, high-volume 
conversation packets. 

A) true 

B) false 


The congestive-discard-threshold parameter in the fair-queue {congestive-discard- 
threshold} interface configuration command specifies the maximum number of 
in a conversation held in a queue before messages are discarded. 


A) bytes 


B) packets 
C) kilobytes 
D) streams 


The weight assigned to a traffic class in CBWFQ is defined as : 
A) class bandwidth divided by the interface bandwidth 

B) class bandwidth 

C) interface bandwidth divided by the class bandwidth 

D) interface bandwidth 


How many priority classifications are possible with flow-based WFQ? 


A) 5 
B) 6 
Cc) 7 
D) «8 
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Q7) After entering policy map configuration mode, all of the following are valid commands 
except 
A) class 
B) protocol 
C) bandwidth 
D) queue-limit 


Q8) — The class class-default command is used to 


A) classify traffic that does not fall into one of the defined classes 
B) classify traffic that falls into one of the defined classes 

C) specify traffic that falls into one of the defined classes 

D) route traffic to a specific location 


Q9) Youcan configure a policy for more than one class in the same policy map. 
A) true 
B) false 


Q10) Youcan use the service-policy output command in interface configuration mode to 
attach the policy to an interface. 


A) true 
B) false 
Q11) Low latency queuing is also referred to as PQ/CBWFQ. 
A) true 
B) false 


Q12) When you are configuring low latency queuing, what measurement of bandwidth is 
specified in the priority command? 
A) bits per second 
B) bytes per second 
C) kilobits per second 
D) kilobytes per second 
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Quiz Answer Key 


Ql) 


Q2) 


Q3) 


Q4) 


Q5) 


Q6) 


Q7) 


Q8) 


Q9) 
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D 


Relates to: 


A 


Relates to: 


A 


Relates to: 


B 


Relates to: 


Cc 


Relates to: 


Cc 


Relates to: 


B 


Relates to: 


A 


Relates to: 


A 


Relates to: 


Relates to: 


Relates to: 


Relates to: 


WFQ Operation 


WFQ Operation 


Configuring WFQ 


Configuring WFQ 


CBWFQ Operation 


CBWFQ vs. Flow-Based WFQ 


Step 2c: Configuring CBWFQ Default Class (Optional) 


Step 2c: Configuring CBWFQ Default Class (Optional) 


Step 3: Configuring CBWFQ 


Step 3: Configuring CBWFQ 


LLQ Operation 


Configuring LLQ 
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Verifying Congestion 
Management 


Overview 


This lesson discusses queuing verification. 


Relevance 


When queuing is configured on routers, proper operation should be verified for assurance that 
the expected traffic-handling objectives have resulted. 


Objectives 
Upon completing this lesson, you will be able to: 
m Verify queuing operation using the show queuing command 


m™ Describe the differences and similarities among flow-based WFQ, CBWFQ, and LLQ 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m= All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m= All knowledge presented in the Jnterconnecting Cisco Network Devices (ICND) course 


Outline 


This lesson includes these topics: 


Overview 

Verification of Queuing Operation 
Queuing Comparison Summary 
Summary 


Quiz 
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Verification of Queuing Operation 


This topic describes the show queueing command. 


Verifying Queuing Operation 


Router#ahow queueing int 0 


Interface SerialO queueing strategy: Jair 
Input queue: 0/75/0 (size/max/drops); Total output drops: 0 
Queueing strategy: weighted fair 


Cutput queue: ©0/1000/64/0 (eize/max total/tbresheld/drops! 
Conversations O/1/256 (active/max active/max total) 
Reserved Conversations 0/0 (allooated/nax allocated) 


* Displays queuing status on all interfaces 
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Use the show queueing command to display detailed queuing information about all interfaces 
where fair queuing is enabled. 


In this example, serial0 is enabled with WFQ. 


You can also use the show interfaces command to display queuing information for the 
interfaces of the router. 


Note The word “queuing” is spelled “queueing” in the commands. 
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Verifying Queuing Operation ont) 


branch_G6#show policy-map interface 51.1 
Serial1l.1: DLCI 621 - 


Service-policy output: CBWFO-branch 


Chae ae LLQ-192 REGACEAE Rico all) 
2 nackets, 129408 by 
ee minute offered rate 0 ee drop rate 0 bps 
Match: aceess-group 102 
Weighted Fair Queueing 
Stract Pricrity 
Gutput Qucuc: Conversation 24 


Bandwidth 8 phene) Buret 200 (Bytes! 
(pkts matched/bytes matched) 330/24960 
{total drops/bytes drops) 0/0 
Class-map: class-default (match-any) 
1641 packets, 74919 bytes 
5 minute offered cate 0 bps, drop rate 0 bps 
Match: any 


* Displays counter information on the serial 
interface queuing. 


The table defines the counters in the figure. 


Counters for show policy-map interface Command (in figure) 


Counter Explanation 

2022 packets, 129408 bytes The number of packets matching the criteria of the class. This 
counter increments whether or not the interface is congested. 

(pkts matched/bytes matched) The number of packets matching the criteria of the class when 

390/24960 the interface was congested. In other words, the transmit ring of 


the interface was full, and the driver and the Layer 3 processor 
system worked together to queue the excess packets in the Layer 
3 queues, where the service policy applies. Packets that are 
process-switched always go through the Layer 3 queuing system 
and thus increment the "packets matched" counter. 


5 minute offered rate 0 bps, drop Use the load-interval command to change this value and make it 
rate 0 bps a more instantaneous value. The lowest value is 30 seconds; 
however, statistics displayed in the show policy-map interface 
output are updated every ten seconds. Because the command 
effectively provides a snapshot at a specific moment, the 
statistics may not reflect a temporary increase in queue size. 


Without congestion, there is no need to queue any excess packets. With congestion, packets, 
including Cisco Express Forwarding (CEF) and fast-switched packets, may go into the Layer 3 
queue. Refer back to how the Cisco IOS configuration guide defines congestion: “If you use 
congestion management features, packets accumulating at an interface are queued until the 
interface is free to send them; they are then scheduled according to their assigned priority and 
the queuing mechanism configured for the interface.” 


Normally, the “packets” counter is much larger than the “pkts matched” counter. If the values 
of the two counters are nearly equal, then the interface is receiving a large number of process- 
switched packets or is heavily congested. Both of these conditions should be investigated to 
ensure optimal packet forwarding. 
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Verifying Queuing Operation ont) 


Router# show policy map interface el/l 
Kthernet l/l output :; pel 
Weighted Fair Qusueing 
Class classl 
Outpet Queue: Conversabkion 264 
Bandwidth 937 (kbps) Max Threshold 64 [packeta) 
(total/discards/tail drops) 11848/0/0 
Class class2 


Outpet Queues: Conversation 2€5 
Bandwidth 3237 (kbps) Max Threshold 64 |packets) 


(total/discards/btail drops) 11846/0/0 


* Displays configuration for classes on the output 
interface 


BCRAN v2.1—10-4 


For CBWFQ and LLQ, you can use the show policy-map interface command to display the 
configuration of all classes forming part of the specified policy map. The show policy-map 
interface command displays the configuration of all classes configured for all policy maps on 
the specified interface. 
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Queuing Comparison Summary 


This topic describes the differences and similarities among queuing methods. 


Queuing Comparison Summary 


Flow-Based WFQ Class-Based WFQ Low Latency Queuing 
No classes Up to 64 classes Up to 64 classes 


Weights IP flows Weights classes Morlbcpidcereran {yoke}, 


Interactive traffic User-defined classes 
gets lowest weight get custom weight 


File transfer gets 2 . Designed to bring 
balanced access Highly customizable prioritize VoIP 


Enabled by default Must configure Must configure 
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WFQ is enabled by default. It does not use queue lists to determine the preferred traffic on a 
serial interface. Instead, the fair queue algorithm dynamically sorts traffic into messages that 
are part of a conversation. The messages are queued with low-volume conversations (usually 
interactive traffic), and given priority over high-volume, bandwidth-intensive conversations, 
such as file transfers. When multiple file transfers occur, the transfers are given comparable 
bandwidth. 


CBWFQ allows network managers to customize fair queuing behavior so that user-defined 
classes of traffic receive guaranteed bandwidth during times of congestion. More than one flow, 
or conversation, can belong to a user-defined class. LLQ adds strict PQ to CBWFQ operation. 
LLQ allows you to specify a priority class which will be served first, before any of the other 
classes of traffic. The PQ with LLQ will not starve the other classes because the PQ is policed 
whether or not there is congestion. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
en SOU P| 


¢ Use the show queuing command to display detailed 
queuing information about all interfaces where fair 
queuing is enabled. 


* Use the show interfaces command to display 
queuing information for the router interfaces. 


¢ Use the show policy-map interface command to 
display the configuration of all classes forming 
part of the specified policy map. 
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Quiz 
Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) — When an interface is cleared to send queued packets, the packets are sent based on their 


A) size 

B) assigned priority 
C) mobility 

D) date 


Q2) Which type of queuing does NOT use queue lists to determine the preferred traffic? 


A) | CBWEQ 
B)  LLQ 

C) WFQ 
D) | WRED 


Q3) — Which type of queuing allows you to specify a priority class that will be served first? 


A) | CBWEQ 
B)  LLQ 

C) WFQ 
D) | WRED 
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Quiz Answer Key 


Ql) B 

Relates to: Verification of Queuing Operation 
Q2) Cc 

Relates to: Queuing Comparison Summary 
Q3)  B 


Relates to: Queuing Comparison Summary 
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Implementing Link Efficiency 


Overview 


This lesson discusses how to optimize traffic over the WAN link by compressing data on the 
link. 


Relevance 


Managing network performance is crucial for the bandwidth-demanding applications of today. 
Understanding various compression techniques is important to determine how effective each 
would be in reducing congestion. 


Objectives 
Upon completing this lesson, you will be able to: 
m Identify the concepts of compression and where compression occurs on a data frame 
m™ Describe link compression and the two algorithms associated with link compression 
m Describe payload compression 
m Describe TCP/IP header compression 


m Describe modem compression, encrypted data, and CPU and memory considerations when 
selecting compression for a WAN link 


™ Configure link, payload, and TCP header compression on a WAN interface 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m= All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Jnterconnecting Cisco Network Devices (ICND) course 


Outline 


This lesson includes these topics: 


Overview 

Compression Overview 

Link Compression over a Point-to-Point Connection 
Payload Compression Implementation 

TCP/IP Header Compression 

Microsoft Point-to-Point Compression 

Other Compression Considerations 

Data Compression 


Summary 


Quiz 
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Compression Overview 


This topic describes the general concepts of compression. 


Implementing Compression Overview 
eee ee a 1 SN S| 


bee Payload +<——_______| 
Compression 


TCPIIP Header 


Header + 
Compression 
—————E———————— 
Compression 


¢ Compression allows more efficient use of bandwidth. 
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Cisco IOS software offers a number of features that optimize WAN links to ease the WAN 
bandwidth bottleneck. One of the more effective methods of WAN optimization is compression 
of the data that travels across the WAN link. 

The various types of data compression that Cisco equipment supports are as follows: 

m Link compression (also known as per-interface compression) 

m Payload compression (also known as per-virtual circuit compression) 

m= TCP/IP header compression 

= Microsoft Point-to-Point Compression (MPPC) 


m= Other compression considerations 


Note The default method of transmitting data across a serial link is uncompressed. This method 
allows headers to be used in the normal switching operation, but can consume valuable 
bandwidth. This section discusses software compression features on Cisco devices. A 
hardware compression card is available on some Cisco devices. This section does not cover 
hardware compression features. 


Note Compression (header or data) is only one method of link efficiency. The other method of 
fragmentation and interleaving involves Multilink PPP (MLP), which was discussed earlier in 
the “Configuring PPP Features” module. 
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Link Compression over a Point-to-Point 
Connection 


This topic describes link compression and the two algorithms that are associated with link 
compression. 


Implementing Link Compression over a 
Point-to-Point Connection 


Ei 


Decompress 
PPP, HDLC 
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Link compression (or per-interface compression) involves compressing both the header and 
payload sections of a data stream. Unlike header compression, link compression is protocol 
independent. 


The link compression algorithm uses Predictor or STAC to compress the traffic into another 
link layer, such as PPP or Link Access Procedure, Balanced (LAPB), to ensure error correction 
and packet sequencing. Cisco High-Level Data Link control (HDLC) uses STAC compression 
only. The link compression algorithms are: 


m Predictor: Predicts the next sequence of characters in the data stream by using an index to 
look up a sequence in a compression dictionary. It then examines the next sequence in the 
data stream to see if it matches. If so, that sequence replaces the looked-up sequence in a 
maintained dictionary. If not, the algorithm locates the next character sequence in the index 
and the process begins again. The index updates itself by hashing a few of the most recent 
character sequences from the input stream. 


m STAC: Developed by STAC Electronics, STAC is a Lempel-Ziv (LZ)-based compression- 
based algorithm. It searches the input data stream for redundant strings and replaces them 
with a “token,” which is shorter than the original redundant data string. 


If the data flow moves across a point-to-point connection, use link compression. In a link 


compression environment, the complete packet is compressed and the switching information in 
the header is not available for WAN switching networks. Therefore, the best applications for 
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link compression are point-to-point environments with a limited hop path. Typical examples are 
leased lines or ISDN. 
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Payload Compression Implementation 


This topic describes payload compression. 


Implementing Payload Compression 


E a 


Frame Relay or 
AT™ 
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Payload compression (or per-virtual circuit compression) compresses only the data portion of 
the data stream. The header is left intact. 


When designing an internetwork, the customer cannot assume that an application will be 
transmitted over point-to-point lines. If link compression is used rather than payload 
compression, the header may not be readable at a particular hop. 


Note When using payload compression, the header is left unchanged and packets can be 
switched through a WAN packet network. Payload compression is appropriate for virtual 
network services such as Frame Relay and ATM. It uses the STAC compression method 
discussed earlier. 
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TCP/IP Header Compression 


This topic describes TCP/IP header compression. 


Using TCP/IP Header Compression 
ee eee meee i ee | 


TCP/IP Header 


TCP/IP 
Header 
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TCP/IP header compression subscribes to the Van Jacobson algorithm defined in RFC 1144. It 
lowers the overhead generated by disproportionately large TCP/IP headers as they are 
transmitted across the WAN. TCP/IP header compression is protocol-specific and only 
compresses the TCP/IP header. The Layer 2 header is still intact and a packet with a 
compressed TCP/IP header can still travel across a WAN link. 


Note TCP/IP header compression is beneficial on small packets with few bytes of data, such as 
Telnet. Cisco header compression supports Frame Relay and dial-on-demand WAN link 
protocols. Due to processing overhead, header compression is generally used at lower 
speeds, such as 64-kbps links. 
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Microsoft Point-to-Point Compression 


This topic describes Microsoft Point-to-Point Compression (MPPC). 


Implementing MPPC 


E == | Jz) 


Microsoft Host 


ISDN or Dialup 


Service 


LAPB, PPP, Decompress 
MPPC 
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The MPPC protocol (RFC 2118) allows Cisco routers to exchange compressed data with 
Microsoft clients. MPPC uses an LZ-based compression mechanism. Use MPPC when 
exchanging data with a host using MPPC across a WAN link. 
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Other Compression Considerations 


This topic describes modem compression, encrypted data, and CPU and memory considerations 
when you are selecting compression for a WAN link. 


Other Compression Considerations 


ee ee) 


* Modem compression 
* Encrypted data 


° CPU cycles versus memory 
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Other considerations when selecting a compression algorithm to optimize your WAN 
utilization include: 


= Modem compression: In dialup environments, compression can occur in the modem. Two 
common modem compression standards are Microcom Networking Protocol-5 (MNP-5) 
and the International Telecommunication Union Telecommunication Standardization 
Sector (ITU-T) V.42bis. MNP-5 and V.42bis offer up to two times and four times 
compression, respectively. The two specifications are not compatible. The modems at both 
ends of the connection negotiate the standard to use. If compression occurs at the modem, 
do not configure the router to run compression. 


= Encrypted data: Compression is a Layer 2 function and encryption occurs at Layer 3. 
When a data stream is encrypted by the client application, it is then passed onto the router 
for routing or compression services or both. When the compression engine receives the 
encrypted data stream, which by definition has no repetitive patterns, the data expands and 
will not compress. LZ will then compare the before and after images to determine which is 
the smallest and send the uncompressed data as it was originally received if expansion 
occurred. If data is encrypted, do not compress the encrypted data using a Layer 2 
compression algorithm. 


m= CPU cycles versus memory: The amount of memory that a router must have and that the 
network manager must plan on varies. The amount of memory that is required varies 
according to the protocol being compressed, the compression algorithm, and the number of 
concurrent circuits on the router. Memory requirements will be higher for Predictor than for 
STAC, and payload will use more memory than link compression. Likewise, link 
compression uses more CPU cycles. 
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Data Compression 


This topic describes the configuration steps for compression on a WAN interface. 


¢ Configures software compression for LAPB, PPP, and HDLC for 
a link 


Router (config-if)#frame-relay payload-compress 


¢ Enables payload compression on a specified interface or 
subinterface 


BCRAN v2.1—10-8 


Use the compress [ predictor | stac | mppc | command to configure point-to-point software 
compression for an LAPB, PPP, or HDLC link. Data compression schemes that are used in 
internetworking devices are referred to as lossless compression algorithms. These schemes 
reproduce the original bit streams exactly, with no degradation or loss. This feature is required 
by routers and other devices to transport data across the network. If you have a point-to-point 
link and are using PPP encapsulation, you can also use the ppp compress [ predictor | stac | 
interface configuration command (not shown) instead of the compress command. 


Use the frame-relay payload-compress command to enable STAC compression on a specified 
Frame Relay point-to-point interface or subinterface. 


Use the ip rtp header-compression command to enable compressed Real-Time Transport 
Protocol (cCRTP) header compression for serial encapsulations, HDLC, or PPP. If you include 
the passive keyword, the software compresses outgoing RTP packets only if incoming RTP 
packets on the same interface are compressed. If you use the command without the passive 
keyword, the software compresses all RTP traffic. 


Use the ip tep header-compression command to enable TCP/IP header compression. The 


passive keyword compresses outgoing TCP packets only if incoming TCP packets on the same 
interface are compressed. If passive is not specified, the router will compress all traffic. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
eee nL SION PN 


Link compression involves compressing the header and 
payload sections of a data stream. 

Payload compression only compresses the payload portion 
of a data stream. 


Use the compress [ predictor | stac | mppc ] command to 
configure point-to-point software compression for an LAPB, 
PPP, or HDLC link. 


Use the frame-relay payload-compress command to enable 
STAC compression on a specified Frame Relay point-to-point 
interface or subinterface. 


Use the ip rtp header-compression command to enable CRTP 
header compression for serial encapsulations, HDLC, or PPP. 


Use the ip tcp header-compression command to enable TCP/IP 
header compression. 
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Next Steps 
For the associated lab exercise, refer to the following section of the course Lab Guide: 


m Lab Exercise 10-1: Managing Network Performance Using CBWFQ and LLQ 
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Quiz 
Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) What is the best method for optimizing data across a WAN link? 


A) WFQ 
B) LLQ 
C) FIFO 
D) compression 


Q2) Link compression will compress the 
A) payload 
B) header 
C) payload and header 


D) none of the above 


Q3) Applications that require the IP header to be intact should use 


A) link compression 

B) payload compression 

C) header compression 

D) link and header compression 


Q4) TCP/IP header compression requires very minimal processing and should be used on 
high-speed WAN links. 


A) true 
B) false 


Q5) Which implementation of compression allows Cisco routers to compress 
communications with Microsoft clients? 


A) STAC 
B) Predictor 
C) MPPC 


Q6) Compression and encryption should be used together to maximize WAN links. 
A) true 
B) false 
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Q7) — Which of the following is NOT a valid keyword for the compress command? 
A) predictor 


B) stac 
C) mppc 
D) Iz 
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Quiz Answer Key 


Ql) D 

Relates to: Compression Overview 
Q?2) Cc 

Relates to: Link Compression over a Point-to-Point Connection 
Q3)  B 

Relates to: Payload Compression Implementation 
Q4) iB 

Relates to: TCP/IP Header Compression 
Q5) Cc 

Relates to: Microsoft Point to Point Compression 
Q6) B 

Relates to: Other Compression Considerations 
Q7) =D 


Relates to: Data Compression 
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Module 11 | 


Using AAA to Scale Access 
Control 


Overview 


This module describes the Cisco Secure Access Control Server (ACS) software features. It also 
describes how to configure a router to access the Cisco Secure ACS and use authentication, 
authorization, and accounting (AAA). 


Objectives 
Upon completing this module, you will be able to: 
m™ Describe Cisco Secure ACS features and operation 
= Configure a router with AAA commands 


m Use aconfigured AAA server to control access in a remote access network 


Outline 
The module contains these lessons: 
m Identifying Cisco Access Control Solutions 


™ Defining and Configuring AAA 
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Identifying Cisco Access 
Control Solutions 


Overview 


This lesson contains an overview of Cisco access control solutions. 


Relevance 


Network administrators require the ability to authenticate users, authorize access, and log 
significant events (accounting) on network resources. The Cisco Systems solution to this 
requirement is the Cisco Secure ACS. 


Objectives 
Upon completing this lesson, you will be able to: 
m Identify the security features of the Cisco Secure ACS server 
m Identify the three components of the Cisco Secure ACS server 
m™ Describe the security features of the Cisco Secure ACS server components 


m™ Describe the features of the Cisco Secure ACS server administrator client 


Learner Skills and Knowledge 
To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m= All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m All knowledge presented in the Interconnecting Cisco Network Devices (ICND) course 


Outline 


11-4 


This lesson includes these topics: 


Overview 

Cisco Access Control Solutions Overview 
Basic Security Devices and Router Security 
Cisco Security Options Overview 

Cisco Secure ACS Overview 

Cisco Secure ACS Components 

Cisco Secure ACS Administrator GUI Client 


Summary 


Quiz 
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Cisco Access Control Solutions Overview 


This topic describes Cisco access control solutions. 


Cisco Access Control Solutions Overview 


° Cisco security control solutions 

° Security options 

* Cisco Secure ACS function and components 
* Cisco Secure ACS administrative clients 
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The Cisco Secure ACS is a high-performance, highly scalable, centralized user access control 
framework. The Cisco Secure ACS offers centralized command and control for all user AAA 


from a web-based graphical interface and distributes those controls to hundreds or thousands of 
access gateways in your network. 
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Basic Security Devices and Router Security 


This topic discusses basic security methods. 


Basic Security Devices and Router Securit 


¢ Router security services to be used: 
internet — Access lists 


— Service password encryption 
+— Access Lists —~ AAA 


VPN— +—Firewall * Router services to be examined for 
security impacts: 


Intrusion 
Detection — IP source route 


— HTTP server 


— Bootp 
— CDP 
— Small servers 
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In a remote access network it is important to secure data and the network infrastructure. 
Although this course does not analyze different security methods in depth, it does focus on 
AAA and Virtual Private Networks (VPNs). Other security measures must also be considered 
when constructing a remote access network. 


Popular security devices include: 


m= Cisco PIX Firewall: Firewalls separate network segments and inspect packets to determine 
if they are part of a permitted protocol, IP address, or conversation. The Cisco PIX Firewall 
can actually examine conversations to determine if an internal user properly solicited 
inbound traffic on the network. 


= Intrusion Detection System (IDS): You can install IDS at various points within a network 
to examine passing traffic and determine if the traffic patterns show certain anomalies. 
These irregular traffic signatures can alert the network administrator of a network attack. 


m VPN concentrator: Concentrators can encrypt data in network traffic and allow this data 
to be shared confidentially over a network infrastructure. 


= Routers: Routers offer many security features that are also available in dedicated security 
devices. These features include the ability to encrypt traffic as a VPN concentrator and the 
ability to run access lists that prevent unauthorized traffic from accessing interfaces. In 
addition, routers can run a Cisco IOS Firewall feature set that prevents unauthorized traffic. 
While simultaneously inspecting traffic conversations in a manner similar to the Cisco PIX 
Firewall. 
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Although routers offer security features, many of the services that help the administrator 
manage the network can also leave the network vulnerable to attack. For example, Cisco routers 
generally have a web browser configuration interface, but it is recommended that 
administrators remove this HTTP functionality and configure using the command-line interface 
(CLI) in Cisco IOS software. 


Other helpful services (such as Cisco Discovery Protocol [CDP]) can also be taken advantage 
of by a dishonest user trying to map a network. It is therefore important for a network 
administrator to know which users have access to the network and how to protect it from 
attacks. 


Cisco Secure ACS implementation of AAA can be an extremely valuable tool available for 
administrators to use in protecting the network 


Copyright © 2004, Cisco Systems, Inc. Using AAA to Scale Access Control 11-7 


Cisco Security Options Overview 


This topic describes Cisco access control solutions. 


Cisco Security Options Overview 
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Cisco provides the following security solutions: 


Clients: Dialup clients can use token cards for secure dialup. Token cards such as RSA 
Data Security, Enigma, and Cryptocard are supported. 


Protocols (client): The Cisco IOS software supports PPP, Challenge Handshake 
Authentication Protocol (CHAP), and Password Authentication Protocol (PAP) for dialup 
security. Using PPP with CHAP authentication is recommended. 


Access servers: The Cisco IOS software supports the following protocols to provide a 
secure means for dialup access: dialer profiles, access control lists (ACLs), per-user ACLs, 
lock and key, Layer 2 Forwarding (L2F) protocol, Layer 2 Tunneling Protocol (L2TP), and 
Kerberos V. 


Protocols (central site): For security verification between the network access server and 
the network security server, the network access server supports the TACACS+, RADIUS, 
and Kerberos V protocols. 


Security servers: The Cisco Secure ACS is the umbrella under which Cisco Systems has a 
variety of security server solutions. Both the Cisco Secure ACS for UNIX and the Cisco 
Secure ACS for Windows software provide networks with AAA capabilities. 
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Cisco Secure ACS Overview 


This topic describes Cisco Secure Access Control Server (ACS). 


Cisco Secure ACS Overview 


Cisco Secure ACS 
(Access Control Server) 
PIX firewall 


¢ Provides authentication, authorization, and 
accounting (AAA) for networks 


The Cisco Secure ACS helps centralize access control, accounting, and client access 
management. 


The Cisco Secure ACS software incorporates a multiuser, web-based Java configuration and 
management tool that simplifies server administration and enables multiple system 
administrators to simultaneously manage security services from multiple locations. The 
graphical user interface (GUI) supports Microsoft and Netscape web browsers and provides 
multiplatform compatibility. 


Various methods of authentication are supported on the Cisco Secure ACS, such as manual 
password entry, CHAP, and one-time passwords, including token cards. Token cards are 
considered the strongest method used to authenticate connecting users and to prevent 
unauthorized users from accessing proprietary information. 


Management of group and user information takes place on a database configured to work with 
the Cisco Secure ACS. To simplify management of group and user information, the Cisco 
Secure ACS supports internal Windows, Open DataBase Connectivity (ODBC), Lightweight 
Directory Access Protocol (LDAP), Novell Directory Services (NDS), and many token server 
databases. 


Additional features included in the Cisco Secure ACS are the ability to automatically disable 
accounts for prevention of brute force attacks and limitations on the number of login sessions. 
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Cisco Secure ACS Components 


This topic describes Cisco Secure ACS components. 


Cisco Secure ACS Components 


Cisco Secure ACS 


ya @ 


Access Router Firewall 
Server 


The Cisco Secure ACS has three major components: 
m AAA server (Cisco Secure ACS) 

m AAA clients 

m User database 


The AAA server gathers authentication information from an AAA configured client and 
verifies this information with a database. The Cisco Secure ACS then returns information to the 
AAA clients, permitting or denying user access. When the user authenticates successfully, the 
Cisco Secure ACS determines the authorization attributes to give the AAA client. 
Authorization attributes may include IP address pool, the type of protocol connection, or an 
ACL. The AAA client then begins forwarding accounting information to the 

Cisco Secure ACS. 


AAA clients include a variety of Cisco products such as firewalls, routers, switches, and VPN 
Concentrators. These clients have software that allows them to communicate with the Cisco 
Secure ACS using either the TACACS+ or RADIUS protocols. 


Cisco Secure ACS allows network administrators to easily administer accounts and globally 
change levels of services that are available for entire groups of users. The administrator can 
affect individual users or groups of users as they are configured in a specified database. This 
database may be a Windows NT or 2000, LDAP, NDS, ODBC, or many other token server 
databases. 


Note Cisco Secure ACS operates successfully with Oracle version 7.3, Sybase SQL Server 
version 11, and Sybase SQLAnywhere by means of ODBC. 
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Cisco Secure ACS Administrator GUI Client 


This topic describes the Cisco Secure ACS administrator client. 


GUI Client Supported 


Cises Sroveas 


Defank Urewp 


M reap capping Mae ret been 
caged, ar 
+ the 


wu 
(eles | 
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The web-based interface lets you easily manage your Cisco Secure ACS database through the 
same type of web browser that you use to view the Internet. 


Using the web-based interface, you can log onto the Cisco Secure ACS, change your password 
for the Cisco Secure ACS database, and perform Cisco Secure ACS system administrator tasks 


such as adding or deleting user and group profiles and assigning attributes and permissions. 


The GUI client for the Cisco Secure ACS must have Java and JavaScript enabled. 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
SS ee | 


* The Cisco Secure ACS is a high-performance, 
highly scalable, centralized user access control 
framework. 


¢ The Cisco Secure ACS incorporates a multiuser, 
Web-based Java configuration and 
management tool. 


* The major components of Cisco Secure TACACS+ 
are the AAA server, the AAA client, and the user 
database. 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 


found in the Quiz Answer Key. 


Ql) — Which services can be used with the Cisco Secure ACS? 
A) encryption 
B) hashing 


C) authentication 


Q2) Which security features can be implemented on a Cisco router? 


A) AAA 
B) access lists 
C) VPN 


D) all of the above 


Q3) — Which of the following is NOT a feature of the Cisco Secure ACS? 


A) AAA server 
B) GUI interface 
C) token card server 


D) firewall function 


Q4) Which is the strongest method used to authenticate users dialing in and to prevent 
unauthorized users from accessing proprietary information? 


A) password verification 
B) encryption 

C) token cards 

D) hashing 


Q5) — The three components of the Cisco Secure ACS are the AAA server, AAA client, and 


A) modems 
B) user database 
C) Visual Basic 


D) firewall packet inspection 


Q6) Either a Netscape or a Microsoft Windows browser may be used as the Cisco Secure 


ACS GUL 
A) true 
B) false 
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Quiz Answer Key 


Ql) 


Q3) 


Q4) 


Q5) 


Q6) 


Cc 


Relates to: 


D 


Relates to: 


D 


Relates to: 


Cc 


Relates to: 


B 


Relates to: 


A 


Relates to: 


Cisco Access Control Solutions Overview 


Basic Security Devices and Router Security 


Cisco Security Options Overview 


Cisco Secure ACS Overview 


Cisco Secure ACS Components 


Cisco Secure ACS Administrator GUI Client 
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Defining and Configuring AAA 


Overview 


This lesson provides an overview of authentication, authorization, and accounting (AAA) and 
how to configure AAA. 


Relevance 


AAA is an invaluable tool for the network administrator. Understanding how, what, and when 
to use this tool is important to effectively control network access. 


Objectives 
Upon completing this lesson, you will be able to: 
m™ Describe how AAA operates 
m™ Describe the three components of AAA 
m™ Describe the AAA router access modes 
m™ Describe how to enable AAA and identify the Cisco Secure ACS 
m= Describe how to configure AAA authentication 
™ Configure AAA authentication 
™ Configure character mode login using AAA authentication 
™ Describe how to enable AAA authorization 
= Configure character mode authorization 
m= Describe how to use AAA accounting commands 


™ Configure AAA accounting 


Learner Skills and Knowledge 


To benefit fully from this lesson, you must have these prerequisite skills and knowledge: 


m All knowledge presented in the Introduction to Cisco Networking Technologies (INTRO) 
course 


m= All knowledge presented in the Jnterconnecting Cisco Network Devices (ICND) course 


Outline 


This lesson includes these topics: 


Overview 

AAA Definitions 

AAA Overview and Configuration 
Router Access Modes 

AAA Protocols 

AAA and the Cisco Secure ACS 
AAA Authentication Commands 
Character Mode Login Example 
AAA Authorization Commands 
Character Mode with Authorization 
Packet Mode Example 

AAA Accounting Commands 
AAA Accounting Example 
Summary 


Quiz 
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AAA Definitions 


This topic describes the three components of AAA. 


AAA Definition 
eS ee a SO || 


1. Authentication 


—Who are you? 


2. Authorization 


—What can you do? 


3. Accounting 
— What did you do and how long did you do it? 
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The three parts of AAA are defined as follows: 


1. 


Authentication 


Authentication examines the identity of users and determines whether they should be 
allowed access to the network. Authentication allows network managers to bar 
intruders from their networks. 


Authorization 


Authorization allows network managers to limit the network services available to a 
user. Authorization also helps restrict the exposure of the internal network to outside 
callers. Authorization allows mobile users to connect to the closest local connection 
and still have access privileges as though they were directly connected to their local 
networks. You can also use authorization to specify which commands a new system 
administrator can issue on specific network devices. 


Accounting 


System administrators might need to bill departments or customers for connection 
time or resources that are used on the network (for example, bytes transferred). 
Accounting tracks this kind of information. You can also use the accounting syslog 
to track suspicious connection attempts and trace malicious activity. 
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AAA Overview and Configuration 
This topic explains the configuration of AAA. 


AAA Overview and Configuration 


¢ AAA definition 
¢ AAA operation 
- Router access modes 


Configuring the Cisco Secure ACS server is the first part of a two-part process to develop an 
operational access control system that implements AAA. The second process involves 
configuring the network access server so that it functions properly with the Cisco Secure ACS 
server. These steps are critical and must be completed with extreme precision. Failure to 
configure the network access server properly may result in being locked out of the router. 


You must understand router port types and access methods before you configure your network. 
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Router Access Modes 


This topic describes the AAA router access modes. 


Router Access Modes 
—————— eer a GRGELOUN It Et| 


Router Ports AAA Command Element 


Character mode tty, vty, aux, con fogin, exec, nasi 
(line mode or connection, 
interactive login) anable, command 


Packet mode async, group-async, ppp, network 
(interface mode or BRI, PRI, serial, dialer 
link protocol session) | profiles, dialer rotaries 
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Understanding router access modes is the key to understanding the AAA commands and how 
they work to secure your network access server. 


With the exception of the aaa accounting system command, all the AAA commands apply to 
either character mode or packet mode. The mode refers to the format of the packets requesting 
AAA. If the query is presented as Service-Type = Exec-User, it is presented in character mode. 
If the request is presented as Service-Type = Framed-User and Framed-Type = PPP, it is 
presented in packet mode. 


Character mode allows a network administrator with a large number of routers in the network 
to authenticate one time as the user, and then access all the routers configured in this method. 
The figure shown here can help you decode the meaning of an AAA command by associating 
the AAA command element with the connection mode to the router. 


Primary applications for the Cisco Secure ACS include securing dialup access to a network and 
securing the management of routers within a network. Both applications have unique AAA 
requirements. 


With the Cisco Secure ACS, system administrators can select a variety of authentication 


methods, each providing a set of authorization privileges. These router ports must be secured 
using the Cisco IOS software and a Cisco Secure ACS server. 
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AAA Protocols 


This topic describes the most popular AAA protocols. 


AAA Protocols 


AAA Protocols TACACS+ 


Aa Acide TCP/IP UDPIIP 


Encryption Entire Body Password Only 


Standard Open/IETF 
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The best-known and best-used types of AAA protocols are TACACS+ and RADIUS. 
TACACS+ supersedes older versions of TACACS and XTACACS. TACACS+ and RADIUS 
have different features that make them suitable for different situations. 


For example, RADIUS is maintained by a standard that was created by the Internet Engineering 
Task Force (IETF); TACACS-+ is a proprietary Cisco Systems technology that encrypts data. 
Another key difference is that TACACS+ runs in TCP while RADIUS operates in User 
Datagram Protocol (UDP). 


TACACS+ provides many benefits for configuring Cisco devices to use AAA for management 
and terminal services. TACACS+ can control the authorization level of users, while RADIUS 
cannot. Also, because TACACS+ separates authentication and authorization, it is possible to 
use TACACS+ authorization and accounting while using another method of authentication 
such as Kerberos. 
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AAA and the Cisco Secure ACS 


This topic describes how to enable AAA and identify the Cisco Secure ACS. 


Enabling AAA and 
Identifying the Server 


TACACS+ or RADIUS 


reuter (config)# aaa new-model 
router (config) # tacacs-server host 192 .168.229.76 


single-connection 
reuter (config)# tacacs-server key sharedl 


router (config) # aaa new-model 
router (config) # radius-server host 192 .168.229.76 
router (config) # radius-server key shared 
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The first steps in configuring the network access server are as follows: 

m Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for 
all other AAA commands. 

m Specify the Cisco Secure ACS that will provide AAA services for the network access 
server. 


= Configure the encryption key that will be used to encrypt the data transfer between the 
network access server and the Cisco Secure ACS. 
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The table shows commonly used AAA configuration commands and what the commands 
enable. 


Commonly Used AAA Commands 


Command Description 
aaa new-model Enables AAA on the router. Prerequisite for all other AAA 
commands. 


tacacs-server host ip-address_ | \ndicates the address of the Cisco Secure ACS server and 
single-connection specifies use of the TCP single-connection feature of Cisco 
Secure ACS. This feature improves performance by maintaining 
a single TCP connection for the life of the session between the 
network access server and the Cisco Secure ACS server, rather 
than opening and closing TCP connections for each session (the 
default). 


tacacs-server key key Establishes the shared secret encryption key between the 
network access server and the Cisco Secure ACS server. 


radius-server host ip-address_ | Specifies a RADIUS AAA server. 


radius-server key key Specifies an encryption key to be used with the RADIUS AAA 
server. 
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AAA Authentication Commands 


This topic describes how to configure AAA authentication. 


AAA Authentication Commands 
eee CE | 


router (config)#sasn suthentication legin 
{aeftault | tist-—ramec} 

group [group-name | radius | tacacst+} 
[method2 [method3 [methcodd]] 


ensble 
group 
krbS 

line 
lecal 
local-—case 


ncns 


Example: 


router (config) faaa authentication Login default group tacacst 
local line 
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The authentication login command in global configuration mode enables the AAA 
authentication process, as follows: 


m default: This command creates a default that is automatically applied to a// lines and 
interfaces, specifying the method or sequence of methods for authentication. 


= list-name: This command creates a list, with a name of your choosing, that is applied 
explicitly to a line or interface using the method or methods specified. This defined list 
overrides the default when applied to a specific line or interface. 


™ group {group-name | radius | tacacst+}: This method specifies the use of an AAA server. 
The group radius, group tacacs+ method refers to previously defined RADIUS or 
TACACS+ servers. The group-name string allows the use of a predefined group of 
RADIUS or TACACS+ servers for authentication (created with the aaa group server 
radius or aaa group server tacacs+ command). 


m [method2 [method3 |method4]|]: This command executes authentication methods in the 
listed order. If an authentication method returns an error, such as a timeout, the Cisco IOS 
software attempts to execute the next method. If the authentication fails, access is denied. 
You can configure up to four methods for each operation. The method must be supported 
by the authentication operation specified. A general list of methods includes: 


— enable: Uses the enable password for authentication 

—  _ group: Uses server-group 

—  krb5: Uses Kerberos Version 5 for authentication 

— line: Uses the line password for authentication 

— local: Uses the local username and password database for authentication 
— _ local-case: Uses case-sensitive local username authentication 

— none: Uses no authentication 
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Character Mode Login Example 


This topic provides an example of how to configure character mode login using AAA 
authentication. 


Character Mode Login Example 
a e... a 


router (config) #aaa authentication Login default group 
tacacs=+ local 


router (config)faaa authentication login ny_list group 


tacacs+ 
router (config)line con 0 


router (config-lins) #login authentication my_list 
router (config line) Fline 1 48 


router (config-line) #login authentication ny list 
router (config-line)#line vty © 4 (this implies “default” list) 


BCRAN v2.1—11-8 


This table describes how to configure AAA authentication using TACACS+. 


AAA Authentication Commands 


Command Description 

aaa authentication login The default login is TACACS+ server. If no response from the 

default group tacacs+ local server, then use the local username and password database. 

aaa authentication login Used for character mode username and password challenge. A 

my_list group tacacs+ new list name, my_list, is defined, and the only method is 
TACACS+. 

line con 0 Enters console configuration mode. 


login authentication my_list Configures the console line to use the AAA list name my_list, 
which has been previously defined to use only TACACS+. 


line 1 48 Configures lines 1 through 48 to use the AAA list name my_list, 
login authentication my_list which has been previously defined to use only TACACS+. 


line vty 0 4 On lines vty 0 through 4, the default list is used, which in this 
case specifies the aaa authentication login default tacacs+ 
local command. 
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AAA Authorization Commands 


This topic describes how to enable AAA authorization. 


AAA Authorization Commands 


Network Cisco Secure 
Access Server ACS Server 


router (config)#aaa authorization 
{metwork | exec | commands level | config-commands | reverse- 
access) (default!/list-name) methodl [method2._) 


Example: 


router(config)#aaa authorization exec default group radius 
lecal none 
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You can configure the access server to restrict the user to perform certain functions only after 
successful authentication. Use the aaa authorization command in global configuration mode 
to select the function authorized and the method of authorization, as shown in the table. 


AAA Authorization Commands 


Command Description 

network All network services, including Serial Line Internet Protocol (SLIP), PPP, 
and AppleTalk Remote Access Protocol (ARA Protocol). 

exec EXEC process. 

commands level All EXEC commands at the specified level (0-15). 

config-commands For configuration mode commands. 

reverse-access For reverse Telnet connections. 

if-authenticated It allows the user to use the requested function if the user is authenticated. 

local Uses the local database for authorization (with the username password 
commands). 

none Performs no authorization. 

group radius Uses RADIUS for authorization. 

group tacacst+ Uses TACACS + for authorization. 
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Character Mode with Authorization 


This topic illustrates an example of how to configure character mode authorization. 


Character Mode with 


Authorization Example 
rg ee mee 


router (config) # username acmin password cisco 
router (config) # ana new-modal 


router (config)# aaa authentication login default local 


router (config) # aaa authentication enable cefault 
group tacacs+ enable 

router (config) # asa authorization exec default 
qreup tacace+ local 

router (contig) # aaa authorization command 1 defaults 


greup tacacs+ local 
router (config)# aaa authorization command 15 default 
qreup tacace+ local 
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Character mode with authorization commands are shown in the table. 


Example of AAA Command Usage 


Command 


aaa authentication enable 
default group tacacs+ enable 


Description 


Determines if the user can access the enabled command level. If 
authentication via TACACS+ server is unavailable, then use the 
enable password. 


aaa authorization exec default 
group tacacs+ local 


Determines if the user is allowed access to an EXEC shell and, if 
so, which shell attributes are permitted or denied. The method is 
TACACS +. If there is no response from the TACACS+ server, then 
the method is local, using the local username and password 
database. 


aaa authorization command n 
default group tacacs+ local 


Runs authorization for all commands at the specified privilege level 
(n). It is possible to have every line entered by a user authorized by 
TACACS+. 
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Packet Mode Example 


This topic illustrates an example of how to configure packet mode authorization. 


Packet Mode Example 
a re Ee... Se 


router (config) fusername admin password xxxxx 
router (config) #saa authentication ppp default if needed 


group 


Tacacst+ 


router (confiq)#aaa authentication ppp user if-needed 


group 


tacacs+ 


router (config) aaa authorization network default 


group 


tacacet if-authen 


router (config) #interface group-asyncl 

router (confiq-if)#ppp authentication chap (default list implied) 
router (aonfig-if) #interface asyncl6 

router (config-if)#ppp authentication chap user 
routar(config-1f)#lana 1 16 
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The table contains descriptions of the commands that are used in the example configuration. 


Example of AAA Packet Mode Command Usage 


Command 


username admin password 
password 


Description 


Creates or adds to the local database a username of admin and 
the specified password. 


aaa authentication ppp user 
if-needed group tacacs+ 


Used for packet mode username /password challenge. Creates a 
list called user that specifies the first method as if-needed and the 
second as TACACS+-. If the user has already been authenticated 
on a tty line, the first method, if needed, uses that as proof of 
authentication. If the user has not already been authenticated, 
TACACS + is used. 


aaa authorization network 
default group tacacs+ if- 
authenticated 


Determines if the user is permitted to make packet mode 
connections. If so, specifies what packet mode attributes are 
permitted or denied. Method is TACACS+. If no response from 
TACACS+, checks if user has been authenticated. 


interface async16 
ppp authentication chap user 


On line async16, uses list user for CHAP authentication. 


line 1 16 


On lines 1 to 16, uses default list. 
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AAA Accounting Commands 


This topic describes how to use AAA accounting commands. 


AAA Accounting Commands 


Network Cisco Secure 
Access Server ACS Server 


router (config) #aaa accounting 

{command level | connection | exec | network | system} 
{default | list-name} {start-stop | stop-only | 
wait-start}) group {tacacs+ | radius} 
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Use the aaa accounting command in global configuration mode for auditing and billing 
purposes, as shown in the following table. 


Example of AAA Accounting Command Usage 


Command Description 

command level Audits all commands at the specified privilege level (0-15). 

connection Audits all outbound connections such as Telnet, rlogin. 

exec Audits the EXEC process. 

network Audits all network service requests, such as SLIP, PPP, and ARAP. 
system Audits all system-level events, such as reload. 

start-stop Sends a start accounting notice at the beginning of a process and a stop 


accounting notice at the end of a process. The start accounting record is 
sent in the background. The requested user process begins regardless 
of whether the start accounting notice has been received by the 
accounting server. 


stop-only Sends a stop accounting notice at the end of the requested user 
process. 
wait-start As in start-stop, sends both a start and a stop accounting notice to the 


accounting server. With the wait-start keyword, the requested user 
service does not begin until the start accounting notice is acknowledged. 
A stop accounting notice is also sent. 


group {tacacs+ | radius} Uses TACACS+ for accounting, or enables RADIUS-style accounting. 
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AAA Accounting Example 


This topic provides an example of how to configure AAA accounting. 


Accounting Example 
a Ee... aaa 


Typical Output: 

Wed Reo 4 04:47;46 2002 
NAS -IP-Address = 
NAS -Port = 5 
Usexz-Name = "“jdecs' 


"172.16.24.127" 


Claent=<Port<DNIS = "4327528" 


Caller-In = "562" 

aAcet-5 tatus-Type = stop 
Acote Authentic — RADIUS 
Service-Type 
Acct-Session-Td = 
Framec -IP-Address = 
Feamec=Protcocol = BPP 
Acct-Input-Cetets — SO7Ss 


= Framed 


-Goutput-Pootetse — 167 


-Input-Packets =< 33 

—-Output-rackets = 3 
Acot<Eession-Tame = 171 
Acct-Delay-Time = 0 
User-Id = 


" jdoe" 
NAS-~Identitier = 


"qo00c00F" 
"10,1.1,2" 


"172.16.24.127" 
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The Cisco Secure ACS serves as a central repository for accounting information by completing 
the access control functionality. Accounting essentially tracks events occurring on the network. 


Each session that is established through the Cisco Secure ACS can be fully accounted for and 
stored on the server. This stored information can be very helpful for management, security 
audits, capacity planning, and network usage billing. 


The table contains the descriptions of commands that are used in the example configuration. 


AAA Accounting Commands 


Command 


aaa accounting network default 
start-stop group tacacs+ 


Description 


Runs start-stop accounting for all packet mode service 
requests and uses the TACACS+ server 


aaa accounting exec default start- 
stop group tacacs+ 


Runs start-stop accounting for all character mode service 
requests and uses the TACACS+ server 


aaa accounting command 15 
default start-stop group tacacs+ 


Runs start-stop accounting for all commands at privilege level 
15 


aaa accounting connection 
default start-stop group tacacs+ 


Runs start-stop accounting for all outbound Telnet and rlogin 
sessions 


aaa accounting system default 
start-stop group tacacs+ 


Runs start-stop accounting for all system-level events not 
associated with users, such as configuration changes and 
reloads 
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Summary 


This topic summarizes the key points discussed in this lesson. 


Summary 
ee ee ee i Sas (SOON eo 


* Authentication, authorization, and accounting are 
used to effectively control network access. 


* Authentication determines the identity of users 
and whether they should be allowed to access the 
network. 


* Authorization allows network managers to limit the 
network services available to each user. 


* Accounting keeps track of connection time and 
resources used on the network. 
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Next Steps 
For the associated lab exercise, refer to the following section of the course Lab Guide: 


m Lab Exercise 11-1: Using AAA to Scale Access Control 
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Quiz 


Use the practice items here to review what you learned in this lesson. The correct answers are 
found in the Quiz Answer Key. 


Ql) 


Q2) 


Q3) 


Q4) 


QS) 


Q6) 


Copyright © 2004, Cisco Systems, Inc. 


Which process in AAA identifies a user? 


A) authentication 
B) authorization 
C) accounting 


In a remote access network, where should you configure AAA to authenticate incoming 


traffic to the central site? 


A) on the remote nodes 
B) on the central site router 
C) on the AAA server between the central site and the remote sites 


D) only on the TACACS+ or RADIUS server 


Which part of the packet does TACACS+ encrypt? 
A) username 

B) password 

C) authentication services 


D) all of the above 


Which command is required to implement AAA on a Cisco router? 


A) aaa accounting 
B) aaa new-model 
C) aaa authorization 
D) tacacs-server host 


Which command enables the authentication process? 


A) aaa new-model 

B) aaa authentication login 
C) radius-server key 

D) aaa authenticate 


The command line con 0 is used to enter the console configuration mode. 
A) true 
B) false 
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Q7) — What does the aaa authorization command allow you to do? 


A) authorize which users can log in 

B) bypass authentication for a user 

C) specify who can establish a Telnet session on the router 
D) specify which commands a user may use 


Q8) — Itis impossible to have every line entered by a user authorized by TACACS-+. 
A) true 
B) false 
Q9) = In which command mode is the line 1 16 command issued? 
A) router(config)# 
B) router(config-if)# 
C) router# 
D) router> 
Q10) Which aaa accounting keyword will audit Telnet traffic? 
A) exec 
B) network 
C) system 
D) connection 


Q11) Which command will run start-stop accounting for all character mode service requests? 


A) aaa accounting network default start-stop group tacacs+ 
B) aaa accounting exec default start-stop group tacacs+ 
C) aaa accounting connection default start-stop group tacacs+ 
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Quiz Answer Key 


Ql) A 

Relates to: 
Q2) B 

Relates to: 
Q3). D 

Relates to: 
Q4) B 

Relates to: 
Q5)  B 

Relates to: 
Q6) A 

Relates to: 
Q7) D 

Relates to: 
Q8) B 

Relates to: 
Q9) A 

Relates to: 
Q10) D 

Relates to: 
Qll) B 

Relates to: 
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AAA Definitions 


Router Access Modes 


AAA Protocols 


AAA and the Cisco Secure ACS 


AAA Authentication Commands 


Character Mode Login Example 


AAA Authorization Commands 


Character Mode with Authorization 


Packet Mode Example 


AAA Accounting Commands 


AAA Accounting Example 
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BCRAN | 


Course Glossary 


The Course Glossary for Building Cisco Remote Access Networks (BCRAN) v2.1 highlights 
and defines key terms and acronyms used throughout this course. Many of these terms are also 
described in the Cisco Internetworking Terms and Acronyms resource, available via 


http:/Awww.cisco.com. 


Acronym or Expansion of | Short Definition for Definition of Acronym or Term Source for 
Term Acronym Mouseover Definition 
802.x IEEE standards that A set of IEEE standards for the ITA/Jan 2003 
define LAN protocols definition of LAN protocols. 
A&B bit T1 transmission Procedure used in T1 transmission ITA/Jan 2003 
signaling facilities in which each | facilities in which each of the 24 T1 
of the 24 T1 subchannels devotes 1 bit of every 
subchannels devotes 1 | sixth frame to the carrying of 
bit of every sixth frame | supervisory signaling information. 
to signaling Also called 24th channel signaling. 
AAA authentication, | authentication, Pronounced “triple A.” In security, ITA/Jan 2003 
authorization, authorization, and authentication is the verification of the 
and accounting | accounting identity of a person or a process. 
Authorization is The method for 
remote access control, including one- 
time authorization or authorization for 
each service, per-user account list 
and profile, user group support, and 
support of protocols such as IP and 
telnet. Accounting is responsible for 
collecting network data relating to 
resource usage. 
Access-Accept RADIUS server Response packet from the RADIUS ITA/Jan 2003 
notifying the access server notifying the access server 
server that the user is that the user is authenticated. This 
authenticated packet contains the user profile, 
which defines the specific AAA 
functions assigned to the user. 
Access- RADIUS server Response packet from the RADIUS ITA/Jan 2003 
Challenge requesting that the server requesting that the user supply 
user supply additional additional information before being 
information authenticated. 
Access-Request Request for Request packet sent to the RADIUS ITA/Jan 2003 
authentication sent to server by the access server 
the RADIUS server requesting authentication of the user. 
Acknowledg- Notification that some Notification sent from one network ITA/Jan 2003 
ment event occurred device to another to acknowledge 
that some event occurred (for 
example, the receipt of a message). 
Sometimes abbreviated ACK. 
Compare to NAK. 
ACL access list A list used to permit or | A list kept by routers to control ITA/Jan 2003 
deny access or other access to or from the router for a 
services number of services (for example, to 
prevent packets with a certain IP 
address from leaving a particular 
interface on the router). 
Activation process of enabling a The process of enabling a subscriber | ITA/Jan 2003 
subscriber device for device for network access and 
network access and privileges on behalf of a registered 
privileges account.active discovery packet. The 
type of packet used by PPPoE during 
the discovery stage. 
address Data structure used to | Data structure or logical convention ITA/Jan 2003 


identify a unique entity 


used to identify a unique entity, such 
as a particular process or a network 
device. 
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Acronym or Expansion of | Short Definition for Definition of Acronym or Term Source for 
Term Acronym Mouseover Definition 
address mask Bit combination that A bit combination used to describe ITA/Jan 2003 
describes which which part of an address refers to the 
address parts refer to network or the subnet and which part 
the network and the refers to the host. Sometimes 
host referred to simply as mask. 
address Method for resolving Generally, a method for resolving ITA/Jan 2003 
resolution differences between differences between computer 
computer addressing addressing schemes. Address 
schemes resolution usually specifies a method 
for mapping network layer (Layer 3) 
addresses to data-link layer (Layer 2) 
addresses. 
ADM add/drop Digital multiplexing Digital multiplexing equipment that ITA/Jan 2003 
multiplexer equipment that provides interfaces between different 
provides interfaces signals in a network. 
between different 
signals in a network. 
administrative Rating of the Rating of the trustworthiness of a ITA/Jan 2003 
distance trustworthiness of a routing information source. 
routing information Administrative distance often is 
source expressed as a numerical value 
between 0 and 255. The higher the 
value, the lower the trustworthiness 
rating. 
ADSL asymmetric One of four DSL One of four DSL technologies. ADSL ITA/Jan 2003 
digital technologies. is designed to deliver more bandwidth 
subscriber line downstream (from the central office to 
the customer site) than upstream. 
Downstream rates range from 1.5 to 
9 Mbps, whereas upstream 
bandwidth ranges from 16 to 640 
kbps. ADSL transmissions work at 
distances up to 18,000 feet (5,488 
meters) over a single copper twisted 
pair. See also HDSL, SDSL, and 
VDSL. 
ADTS automated BCRAN Mod6 
digital terminal 
system 
AES Advanced A new symmetric encryption BCRAN Mod5 
Encryption algorithm selected by NIST in a public 
Standard process. AES is set to replace DES 
mainly because of its longer keys and 
smaller computing resources needed. 
It is already available in a number of 
VPN products. 
aggressive Connection mode that | The connection mode that eliminates | ITA/Jan 2003 
mode eliminates several several steps during IKE 
steps during IKE authentication negotiation (phase 1) 
authentication between two or more IPSec peers. 
Aggressive mode is faster than main 
mode but not as secure. 
AH Authentication | Security protocol that A security protocol that provides data | ITA/Jan 2003 


Header 


provides data 
authentication using 
fields embedded in the 
datagram 


authentication and optional anti- 
replay services. AH is embedded in 
the data to be protected (a full IP 
datagram). 
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Acronym or Expansion of | Short Definition for Definition of Acronym or Term Source for 
Term Acronym Mouseover Definition 
AlS alarm An all-ones signal In a T1 transmission, an all-ones ITA/Jan 2003 
indication transmitted in lieu of signal transmitted in lieu of the 
signal the normal signal to normal signal to maintain 
maintain transmission transmission continuity and to 
continuity for T1 indicate to the receiving terminal that 
there is a transmission fault that is 
located either at, or upstream from, 
the transmitting terminal. See also 
T1. 
AMI alternate mark | Line-code type used Line-code type used on T1 and E1 ITA/Jan 2003 
inversion on T1 and E1 circuits. circuits. In AMI, zeros are 
represented by 01 during each bit 
cell, and ones are represented by 11 
or 00, alternately, during each bit cell. 
AMI requires that the sending device 
maintain ones density. Ones density 
is not maintained independently of 
the data stream. Sometimes called 
binary coded alternate mark 
inversion. Compare with bipolar 8- 
zero substitution. See also ones 
density. 

ANSI American Organization that helps | A voluntary organization composed of | ITA/Jan 2003 
National develop international corporate, government, and other 
Standards and U.S. standards members that coordinates standards- 
Institute relating to, among related activities, approves U.S. 

other things, national standards, and develops 

communications and positions for the United States in 

networking international standards organizations. 
ANSI helps develop international and 
U.S. standards relating to, among 
other things, communications and 
networking. 

antenna A device for A device for transmitting or receiving ITA/Jan 2003 
transmitting or a radio frequency (RF). Antennas are 
receiving a radio designed for specific and relatively 
frequency (RF). tightly defined frequencies and are 

quite varied in design. An antenna for 
a 2.5 GHz (MMDS) system does not 
work for a 28 GHz (LMDS) design. 

Antenna Site The location of main The location of main receiving BCRAN 
receiving antennas for | antennas for broadcast and satellite Mod11 
broadcast and satellite | reception. 
reception. 

application Program that performs | A program that performs a function ITA/Jan 2003 
a function directly fora | directly fora user. FTP and Telnet 
user clients are examples of network 

applications. 

area Logical set of network A logical set of network segments ITA/Jan 2003 
segments and their (OSPF-based) and their attached 
attached devices devices. Areas usually are connected 

to other areas via routers, making up 
a single autonomous system. See 
also autonomous system. 

ARP Address Protocol used to map Internet protocol used to map an IP ITA/Jan 2003 
Resolution an IP address to a address to a MAC address. Defined 
Protocol MAC address in RFC 826. 
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Acronym or Expansion of | Short Definition for Definition of Acronym or Term Source for 
Term Acronym Mouseover Definition 
ARPA Advanced BCRAN Mod6 
Research 
Projects 
Agency 
Network 
assigned RFC that documents RFC [STD2] documents the currently | ITA/Jan 2003 
numbers the currently assigned assigned values from several series 
values from several of numbers used in network protocol 
series of numbers implementations. This RFC is 
used in network updated periodically, and current 
protocol information can be obtained from the 
implementations IANA. If you are developing a 
protocol or an application that 
requires the use of a link, a socket, a 
port, a protocol, and so on, contact 
the IANA to receive a number 
assignment. 
asynchronous Digital signals that are | Term describing digital signals that ITA/Jan 2003 
transmission transmitted without are transmitted without precise 
precise clocking clocking. Such signals generally have 
different frequencies and phase 
relationships. Asynchronous 
transmissions usually encapsulate 
individual characters in control bits 
(called start and stop bits) that 
designate the beginning and the end 
of each character. Compare with 
isochronous transmission, 
plesiochronous transmission, and 
synchronous transmission. 
ATM Asynchronous | Standard that conveys | The international standard for cell ITA/Jan 2003 
Transfer Mode | multiple service types relay in which multiple service types 
in fixed-length cells (such as voice, video, or data) are 
conveyed in fixed-length (53-byte) 
cells. Fixed-length cells allow cell 
processing to occur in hardware, 
thereby reducing transit delays. ATM 
is designed to take advantage of 
high-speed transmission media, such 
as E3, SONET, and T3. 
authentication In security, verification In security, the verification of the ITA/Jan 2003 
of the identity of a identity of a person or a process. 
person or a process 
autonomous Networks under a A collection of networks under a ITA/Jan 2003 
system common common administration sharing a 


administration that 
share a routing 
strategy 


common routing strategy. 
Autonomous systems are subdivided 
by areas. An autonomous system 
must be assigned a unique 16-bit 
number by the IANA. Sometimes 
abbreviated as AS. 
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Acronym or Expansion of | Short Definition for Definition of Acronym or Term Source for 
Term Acronym Mouseover Definition 
B8ZS binary 8-zero Line-code type, used Line-code type, used on T1 and E1 ITA/Jan 2003 
substitution on T1 and E1 circuits, circuits, in which a special code is 
in which a special code | substituted whenever eight 
is substituted consecutive zeros are sent over the 
whenever eight link. This code then is interpreted at 
consecutive zeros are the remote end of the connection. 
sent over the link. This technique guarantees ones 
density independent of the data 
stream. Sometimes called bipolar 8- 
zero substitution. Compare with AMI. 
See also ones density. 
B channel Bearer channel | DSO time slot that DSO time slot that carries analog ITA/Jan 2003 
carries analog voice or | voice or digital data over ISDN. In 
digital data over ISDN ISDN, a full-duplex, 64-kbps channel 
used to send user data. 
backbone Part of a network that Part of a network that acts as the ITA/Jan 2003 
acts as the primary primary path for traffic that is most 
path for traffic often sourced from, and destined for, 
other networks. 
bandwidth Difference between the | The difference between the highest ITA/Jan 2003 
highest and lowest and lowest frequencies available for 
frequencies for network signals. The term also is 
network signals used to describe the rated throughput 
capacity of a given network medium 
or protocol. The frequency range 
necessary to convey a signal 
measured in units of hertz (Hz). For 
example, voice signals typically 
require approximately 7 kHz of 
bandwidth and data traffic typically 
requires approximately 50 kHz of 
bandwidth. 
baseband Characteristic of a Characteristic of a network ITA/Jan 2003 
network technology technology where only one carrier 
where only one carrier | frequency is used. Ethernet is an 
frequency is used example of a baseband network. Also 
called narrowband. Contrast with 
broadband. 
baud Unit of signaling speed | Unit of signaling speed equal to the ITA/Jan 2003 
where each signal number of discrete signal elements 
element represents transmitted per second. Baud is 
exactly 1 bit synonymous with bits per second 
(bps) if each signal element 
represents exactly 1 bit. 
Bc committed Maximum amount of Negotiated tariff metric in Frame ITA/Jan 2003 
burst data ina Frame Relay | Relay internetworks. The maximum 
network committed to amount of data (in bits) that a Frame 
accept and transmit Relay internetwork is committed to 
accept and transmit at the CIR. 
Be excess burst Number of bits that a Negotiated tariff metric in Frame ITA/Jan 2003 


Frame Relay network 
transmits after Bc 


Relay internetworks. The number of 
bits that a Frame Relay internetwork 
attempts to transmit after Bc is 
accommodated. Be data, in general, 
is delivered with a lower probability 
than Bc data because Be data can be 
marked as DE by the network. 
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Acronym or Expansion of | Short Definition for Definition of Acronym or Term Source for 
Term Acronym Mouseover Definition 
BECN backward Bit set by a Frame Bit set by a Frame Relay network in ITA/Jan 2003 
explicit Relay network in frames traveling in the opposite and BCRAN 
congestion frames traveling in the | direction of frames encountering a Mod7 
notification opposite direction of congested path. DTE receiving 
frames encountering a_ | frames with the BECN bit set can 
congested path. request that higher-level protocols 
take flow control action as 
appropriate. Compare with FECN. 
Cisco routers can respond to BECN 
notifications 
BER bit error rate Ratio of received bits Ratio of received bits that contain ITA/Jan 2003 
that contain errors. errors. 
BERT bit error rate Device that determines | Device that determines the BER ona _ | ITA/Jan 2003 
tester the BER on a given given communications channel. See 
communications also BER (bit error rate). 
channel 
best-effort A network system that | Describes a network system that ITA/Jan 2003 
delivery does not use a does not use a sophisticated 
sophisticated acknowledgment system to 
acknowledgment guarantee reliable delivery of 
system for delivery of information. 
information. 
BISDN Broadband ITU-T communication ITU-T communication standards ITA/Jan 2003 
ISDN standards designed to | designed to handle high-bandwidth 
handle high-bandwidth | applications, such as video. BISDN 
applications, such as currently uses ATM technology over 
video. SONET-based transmission circuits 
to provide data rates from 155 to 622 
Mbps and beyond. Contrast with N- 
ISDN. See also BRI, ISDN, and PRI. 
bit-oriented Class of data link layer | Class of data link layer ITA/Jan 2003 
protocol communication communication protocols that can 
protocols that can transmit frames regardless of frame 
transmit frames content. Unlike byte-oriented 
regardless of frame protocols, bit-oriented protocols 
content provide full-duplex operation and are 
more efficient and reliable. Compare 
with byte-oriented protocol. 
blocking A situation in which In a switching system, a condition in ITA/Jan 2003 
one activity or path which no paths are available to 
cannot begin or be complete a circuit. The term also is 
used until capacity is used to describe a situation in which 
returned. one activity cannot begin until another 
is completed. 
BOC Bell operating Phone companies The several local phone companies ITA/Jan 2003 
company formed by the breakup | formed by the breakup of AT&T. See 
of AT&T also RBOC. 
BPDU bridge protocol | Spanning-Tree Spanning-Tree Protocol hello packet WIP/June 
data unit Protocol hello packet that is sent out at configurable 2002 
used when exchanging | intervals to exchange information 
information among among bridges in the network. 
bridges 
BPV bipolar A one (1) in a bipolar A one (1) in a bipolar signal that has ITA/Jan 2003 
violation signal that has the the same polarity as the preceding 


same polarity as the 
preceding one. 


one. See also coding violation. 
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Acronym or Expansion of | Short Definition for Definition of Acronym or Term Source for 
Term Acronym Mouseover Definition 
BRI Basic Rate ISDN interface ISDN interface composed of two B ITA/Jan 2003 
Interface composed of two B channels and one D channel for 
channels and one D circuit-switched communication of 
channel voice, video, and data. 

bridge Device that connects Device that connects and passes ITA/Jan 2003 
network segments that | packets between two network 
use the same protocol | segments that use the same 

communications protocol. Bridges 
operate at the data-link layer (Layer 
2) of the OSI reference model. In 
general, a bridge filters, forwards, or 
floods an incoming frame based on 
the MAC address of that frame. 

bridge static Process in which a The process in which a bridge ITA/Jan 2003 

filtering bridge maintains a maintains a filtering database 
filtering database consisting of static entries. Each 

static entry equates a MAC 
destination address with a port that 
can receive frames with this MAC 
destination address and a set of ports 
on which the frames can be 
transmitted. Defined in the IEEE 
802.1 standard. 

Broadband Refers to the ability to Refers to the ability to frequency- BCRAN 
frequency-division division multiplex (FDM) many signals | Mod11 
multiplex (FDM) many | in a wide RF bandwidth over an HFC 
signals in a wide RF network, and the ability to handle vast 
bandwidth over an amounts of information. 

HFC network, and the 
ability to handle vast 
amounts of 
information. 

broadband Transmission system 1. Describes facilities or services that | ITA/Jan 2003 
that multiplexes operate at the DS3 rate and above. 
multiple independent For example, a Broadband DCS 
signals onto one cable | makes cross-connections at the DS3, 
having a bandwidth STS-1, and STS-Nc levels. Similarly, 
greater than a voice- Broadband ISDN provides about 150 
grade channel (4 kHz). | Mb/s per channel of usable 

bandwidth. 2. Transmission system 
that multiplexes multiple independent 
signals onto one cable. 

3. Telecommunications terminology: 
Any channel having a bandwidth 
greater than a voice-grade channel (4 
kHz). 

4. LAN terminology: A coaxial cable 
on which analog signaling is used. An 
RF system with a constant data rate 
at or above 1.5 Mbps. Also called 
wideband. Contrast with baseband. 

broadcast Data packets that are Data packets that are sent to all ITA/Jan 2003 
sent to all nodes ona nodes on a network. Broadcasts are 
network identified by a broadcast address. 

broadcast Special address A special address reserved for ITA/Jan 2003 

address reserved for sending a | sending a message to all stations. 


message to all stations 


Generally, a broadcast address is a 
MAC destination address of all ones. 
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Acronym or Expansion of | Short Definition for Definition of Acronym or Term Source for 
Term Acronym Mouseover Definition 
broadcast All devices that receive | Set of all devices that receive ITA/Jan 2003 
domain broadcast frames broadcast frames originating from any 
originating from any device within the set. Broadcast 
device within the set domains typically are bounded by 
routers because routers do not 
forward broadcast frames. 
broadcast storm Network event where An undesirable network event in ITA/Jan 2003 
many broadcasts are which many broadcasts are sent 
sent simultaneously simultaneously across all network 
across all network segments. A broadcast storm uses 
segments substantial network bandwidth and, 
typically, causes network time-outs. 
burst Sequence of signals In data communications, a sequence ITA/Jan 2003 
counted as one unit of signals counted as one unit in 
based on a specific accordance with some specific 
measure criterion or measure. 
bursty traffic An uneven pattern of A data communications term referring | ITA/Jan 2003 
data transmission to an uneven pattern of data 
transmission. 
CA certificate Certificate of Certificate of Authority | [Digital] certificate for one CA issued ITA/Jan 2003 
Authority certificate by another CA. 
certificate 
cable Transmission medium | Transmission medium of copper wire | ITA/Jan 2003 
of copper wire or ——_—|_ or optical fiber wrapped in a 
optical fiber wrapped in protective cover. 
a protective cover. 
cable modem Modem that at Modulator-demodulator device thatis | ITA/Jan 2003 
subscriber locations to | placed at subscriber locations to 
convey data convey data communications on a 
communications on a cable television system. 
cable television 
system. 
cable router Router optimized for Modular chassis-based router ITA/Jan 2003 
data-over-CATV hybrid | optimized for data-over-CATV hybrid 
fiber-coaxial fiber-coaxial (HFC) applications. 
call An attempted An attempted connection between ITA/Jan 2003 
connection between remote systems, such as a telephone 
remote systems call through the PSTN. 
CAP carrierless An earlier and more An earlier and more easily BCRAN 
amplitude/ easily implemented implemented modulation used on Mod11 
phase modulation used on many of the early installations of 
many of the early ADSL. 
installations of ADSL. 
CATV Cable TV Originally an acronym A communication system where ITA/Jan 2003 
for community antenna | multiple channels of programming and BCRAN 
television; today the material are transmitted to homes Mod11 


term is generally 
accepted to mean 
cable TV. A system 
where multiple 
channels of 
programming material 
are transmitted to 
homes using 
broadband coaxial 
cable 


using broadband coaxial cable. 
Formerly called Community Antenna 
Television. 
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cause codes The coded reason for Code that indicates the reason for ITA/Jan 2003 
ISDN call failure or ISDN call failure or completion. 
completion. 
CBDS Connectionles | European high-speed, European high-speed, packet- ITA/Jan 2003 
s Broadband packet-switched, switched, datagram-based WAN 
Data Service. datagram-based WAN | networking technology. 
networking technology. 
CBWFQ class-based Defines traffic classes The bandwidth assigned to aclass is | BCRAN Mod9 
weighted fair (typically using ACLs) used to calculate the "weight" of that 
queueing and then applies class. The weight of each packet that 
parameters, such as matches the class criteria is also 
bandwidth and queue- | calculated from this. WFQ is then 
limits to these classes. | applied to the classes (which can 
include several flows) rather than the 
flows themselves. 
CCITT Consultative International International organization responsible | ITA/Jan 2003 
Committee for | organization for the development of 
International responsible for the communications standards. Now 
Telegraph and | development of called the ITU-T. See also ITU-T. 
Telephone communications 
standards. Now called 
the ITU-T. 
CD Carrier Detect | A signal that indicates | A signal that indicates whether an ITA/Jan 2003 
whether an interface is | interface is active. Also, a signal 
active generated by a modem indicating that 
a call has been connected. 
CDP Cisco Cisco protocol that Media- and protocol-independent ITA/Jan 2003 
Discovery allows a device to device-discovery protocol that runs 
Protocol advertise its existence | on all Cisco-manufactured 
and receive equipment, including routers, access 
information about other | servers, bridges, and switches. Using 
devices CDP, a device can advertise its 
existence to other devices and 
receive information about other 
devices on the same LAN or on the 
remote side of a WAN. Runs on all 
media that support SNAP, including 
LANs, Frame Relay, and ATM media. 
CET Cisco 40- and 56-bit DES network layer BCRAN Mod5 
Encryption encryption available since Cisco |OS 
Technology Software Release 11.2. 
channel Communication path 1. Communication path wide enough ITA/Jan 2003 


to permit a single RF transmission. 
Multiple channels can be multiplexed 
over a single cable in certain 
environments. 


2. In IBM, the specific path between 
large computers (Such as 
mainframes) and attached peripheral 
devices. 


3. Specific frequency allocation and 
bandwidth. Downstream channels are 
used for television in the United 
States are 6 MHz wide. 
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channelized E1 Access link operating Access link operating at 2.048 Mbps ITA/Jan 2003 
at 2.048 Mbps that is that is subdivided into 30 B-channels 
subdivided into 30 B- and 1 D-channel. Supports DDR, 
channels and 1 D- Frame Relay, and X.25. Compare 
channel with channelized T1 
channelized T1 Access link operating Access link operating at 1.544 Mbps ITA/Jan 2003 
at 1.544 Mbps that is that is subdivided into 24 channels 
subdivided into 24 (23 B channels and 1 D channel) of 
channels (23 B 64 kbps each. The individual 
channels and 1 D channels or groups of channels 
channel) of 64 kbps connect to different destinations. 
each. Supports DDR, Frame Relay, and 
X.25. Also called fractional T1. 
CHAP Challenge Security feature Security feature supported on lines ITA/Jan 2003 
Handshake supported on lines using PPP encapsulation that 
Authentication | using PPP prevents unauthorized access. CHAP 
Protocol encapsulation does not itself prevent unauthorized 
access, but merely identifies the 
remote end. The router or access 
server then determines whether that 
user is allowed access. 
chat script String of text that String of text that defines the login ITA/Jan 2003 
defines the login "conversation" that occurs between 
"conversation" that two systems. Consists of expect-send 
occurs between pairs that define the string that the 
modems. local system expects to receive from 
the remote system and what the local 
system should send as a reply. 
checksum Method for checking Method for checking the integrity of ITA/Jan 2003 
the integrity of transmitted data. A checksum is an 
transmitted data using | integer value computed from a 
an integer value sequence of octets taken through a 
series of arithmetic operations. The 
value is recomputed at the receiving 
end and is compared for verification. 
Cipher Cryptographic Cryptographic algorithm for ITA/Jan 2003 
algorithm for encryption and decryption. 
encryption and 
decryption. 
Ciphertext Data encrypted so that | Data that has been transformed by ITA/Jan 2003 
its meaning is no encryption so that its semantic 
longer intelligible or information content (that is, its 
directly available meaning) is no longer intelligible or 
directly available 
CIR committed Rate at which a Frame _ | The rate at which a Frame Relay ITA/Jan 2003 
information Relay network agrees network agrees to transfer 
rate to transfer information information under normal conditions, 


averaged over a minimum increment 
of time. CIR, measured in bits per 
second, is one of the key negotiated 
tariff metrics. 
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Cisco lOS Software that provides | Cisco Systems software that provides | ITA/Jan 2003 
common functionality common functionality, scalability, and 
for Cisco products security for all Cisco products. Cisco 
1OS allows centralized, integrated, 
and automated installation and 
management of internetworks while 
ensuring support for a wide variety of 
protocols, media, services, and 
platforms. 
CLI command-line Interface that allows An interface that allows the user to ITA/Jan 2003 
interface the user to interact interact with the operating system by 
with the operating entering commands and optional 
system arguments. The UNIX operating 
system and DOS provide CLIs. 
CLID calling line ID Information about the Information about the billing ITA/Jan 2003 
telephone number telephone number from which a call 
from which a call originated. The CLID value might be 
originated. the entire phone number, the area 
code, or the area code plus the local 
exchange. Also known as Caller ID. 
CM cable modem Device used to Device used to connect a PC toa ITA/Jan 2003 
connect a PC to a local | local cable TV line and receive data 
cable TV line at much higher rates than ordinary 
telephone modems or ISDN. A cable 
modem can be added to or integrated 
with a set-top box, thereby enabling 
Internet access via a television set. In 
most cases, cable modems are 
furnished as part of the cable access 
service and are not purchased 
directly and installed by the 
subscriber. 
CMI coded mark ITU-T line coding ITU-T line coding technique specified | ITA/Jan 2003 
inversion technique specified for | for STS-3c transmissions. Also used 
STS-3c transmissions in DS-1 systems. See also DS-1 and 
STS-3c. 
CMTS cable modem Any DOCSIS- A cable modem termination system, ITA/Jan 2003 
termination compliant headend such as a router or a bridge, typically 
system cable router located at the cable headend. Any 
DOCSIS-compliant headend cable 
router, such as the Cisco UBR7246. 
CNR Carrier-to- The difference in The difference in amplitude between BCRAN 
noise amplitude between the | the desired RF carrier and the noise Mod11 
desired RF carrier and | in a defined bandwidth. 
the noise in a defined 
bandwidth. 
CO central office Local telephone The local telephone company office ITA/Jan 2003 
company office to to which all local loops in a given area 
which all local loops in | connect and in which circuit switching 
an area connect of subscriber lines occurs. 
coaxial cable The principal physical Coaxial cable is used to transport RF_ | BCRAN 
media with which signals. Coaxial cable signal loss Mod11 


CATV systems are 
built. 


(attenuation) is a function of the 
diameter of the cable, dielectric 
construction, ambient temperature, 
and operating frequency (f). 
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codec coder-decoder | Device that transforms | 1. Integrated circuit device that ITA/Jan 2003 
analog signals into a typically uses pulse code modulation 
digital bit stream and to transform analog signals into a 
digital signals back into | digital bit stream and digital signals 
analog signals. back into analog signals. 
2. In Voice over IP, Voice over Frame 
Relay, and Voice over ATM, a DSP 
software algorithm used to 
compress/decompress speech or 
audio signals. 
collision In Ethernet, result of In Ethernet, the result of two nodes ITA/Jan 2003 
two nodes transmitting | transmitting simultaneously. The 
simultaneously frames from each device impact and 
are damaged when they meet on the 
physical media. 
collision domain Network area within In Ethernet, the network area within ITA/Jan 2003 
which frames that have | which frames that have collided are 
collided are propagated. Repeaters and hubs 
propagated propagate collisions; LAN switches, 
bridges, and routers do not. 
communications Physical link that Physical link (such as wire or a ITA/Jan 2003 
line connects devices to telephone circuit) that connects one 
other devices or more devices to one or more other 
devices. 
configuration User-configurable In Cisco routers, a 16-bit, user- ITA/Jan 2003 
register value that determines configurable value that determines 
how a Cisco router how the router functions during 
initializes initialization. The configuration 
register can be stored in hardware or 
software. In hardware, the bit position 
is set using a jumper. In software, the 
bit position is set by specifying a 
hexadecimal value using 
configuration commands. 
connectionless Data transfer without a | Term used to describe data transfer ITA/Jan 2003 
virtual circuit without the existence of a virtual 
circuit. 
connection- Data transfer that Term used to describe data transfer ITA/Jan 2003 
oriented requires a virtual circuit | that requires the establishment of a 
virtual circuit. 
core router Router that is part of In a packet-switched star topology, a ITA/Jan 2003 


the backbone in a star 
topology 


router that is part of the backbone 
and that serves as the single pipe 
through which all traffic from 
peripheral networks must pass on its 
way to other peripheral networks. 
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CPE customer Equipment at customer | Terminating equipment, such as ITA/Jan 2003 
premises sites, connected to the | terminals, telephones, and modems, 
equipment telephone company supplied by the telephone company, 
network installed at customer sites, and 
connected to the telephone company 
network. Can also refer to any 
telephone equipment residing on the 
customer site. 
cps cells per Unit of measure used Unit of measure used for ATM switch | ITA/Jan 2003 
second for ATM switch volumes. 
volumes. 
cRTP compressed cRTP, RFC 1889, provides bandwidth 
Real-Time efficiency over low-speed links by 
Transport compressing the UDP/RTP/IP header 
Protocol when transporting voice. With cRTP, 
the header for VoIP traffic can be 
reduced from 40 bytes to 
approximately 2 to 5 bytes. cRTP is 
supported over Frame Relay, ATM, 
PPP, MLP, and HDLC encapsulated 
interfaces. 
cryptographic Algorithm that employs | Algorithm that employs the science of | ITA/Jan 2003 
algorithm the science of cryptography, including encryption 
cryptography algorithms, cryptographic hash 
algorithms, digital signature 
algorithms, and key agreement 
algorithms. 
cryptographic Input parameter that Usually shortened to just "key." Input ITA/Jan 2003 
key varies the parameter that varies the 
transformation transformation performed by a 
performed by a cryptographic algorithm. 
cryptographic 
algorithm. 
CSU Channel Digital interface device | Digital interface device that connects | ITA/Jan 2003 
service unit that connects end-user | end-user equipment to the local 
equipment to the local digital telephone loop. Often referred 
digital telephone loop to together with DSU, as CSU/DSU. 
See also DSU. 
CTS Clear To Send | Clear To Send Circuit in the EIA/TIA-232 ITA/Jan 2003 
specification that is activated when 
DCE is ready to accept data from a 
DTE. 
custom queuing Reserves a Up to 16 output queues can be BCRAN Mod9 
percentage of configured for normal data and an 
bandwidth for specified | additional queue can be created for 
protocols system messages such as LAN 
keepalives. Each queue is serviced 
sequentially, by transmitting a 
configurable percentage of traffic and 
then moving on to the next queue 
D channel data channel Full-duplex, 16-kbps Full-duplex, 16-kbps (BRI), or 64- ITA/Jan 2003 
(BRI), or 64-kbps (PRI) | kbps (PRI) ISDN channel. 
ISDN channel 
D4 framing Super Frame See SF ITA/Jan 2003 
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data circuit- 
terminating 
equipment 


Expansion of 
Acronym 


Short Definition for 
Mouseover 


See DCE 


Definition of Acronym or Term 


See DCE. Also known as data 
communications equipment 


Source for 
Definition 


ITA/Jan 2003 


data-link layer 


Layer 2 of the OSI 
reference model. 


Layer 2 of the OSI reference model. 
Provides reliable transit of data 
across a physical link. The data-link 
layer is concerned with physical 
addressing, network topology, line 
discipline, error notification, ordered 
delivery of frames, and flow control. 
The IEEE divided this layer into two 
sublayers: the MAC sublayer and the 
LLC sublayer. Sometimes simply 
called link layer. Roughly 
corresponds to the data-link control 
layer of the SNA model. 


ITA/Jan 2003 


data terminal 
equipment 


See DTE 


See DTE 


ITA/Jan 2003 


datagram 


Logical grouping of 
information sent as a 
network layer unit 


Logical grouping of information sent 
as a network layer unit over a 
transmission medium without prior 
establishment of a virtual circuit. IP 
datagrams are the primary 
information units in the Internet. The 
terms cell, frame, message, packet, 
and segment also are used to 
describe logical information groupings 
at various layers of the OSI reference 
model and in various technology 
circles. 


ITA/Jan 2003 


DCE 


data circuit- 
terminating 
equipment 
(ITU-T 
expansion) 


Network connections 
that comprise the 
network end of the 
user-to-network 
interface 


Devices and connections of a 
communications network that 
comprise the network end of the user- 
to-network interface. The DCE 
provides a physical connection to the 
network, forwards traffic, and 
provides a clocking signal used to 
synchronize data transmission 
between DCE and DTE devices. 
Modems and interface cards are 
examples of DCE. 


ITA/Jan 2003 


DDR 


dial-on- 
demand 
routing 


Technique whereby a 
router automatically 
initiates and closes a 
circuit-switched 
session 


Technique whereby a router can 
automatically initiate and close a 
circuit-switched session as 
transmitting stations demand. The 
router spoofs keepalives so that end 
stations treat the session as active. 
DDR permits routing over ISDN or 
telephone lines using an external 
ISDN terminal adaptor or modem. 


ITA/Jan 2003 


DE 


discard eligible 


Traffic that can be 
dropped if the network 
is congested 


If the network is congested, DE traffic 
can be dropped to ensure the delivery 
of higher priority traffic. 


ITA/Jan 2003 
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DEA Data Symmetric block Symmetric block cipher, defined as ITA/Jan 2003 
Encryption cipher, defined as part | part of the U.S. Government's Data 
Algorithm of the U.S. Encryption Standard. DEA uses a 64- 
Government's Data bit key, of which 56 bits are 
Encryption Standard independently chosen and 8 are 
parity bits, and maps a 64-bit block 
into another 64-bit block. 
decrypt Restore ciphertext to Cryptographically restore ciphertext ITA/Jan 2003 
the plaintext form to the plaintext form it had before 
encryption. 
decryption Reverse application of | Reverse application of an encryption ITA/Jan 2003 
an encryption algorithm to encrypted data, thereby 
algorithm to encrypted | restoring that data to its original, 
data unencrypted state. See also 
encryption. 
dedicated LAN Network segment Network segment allocated to a ITA/Jan 2003 
allocated to a single single device. Used in LAN switched 
device network topologies. 
dedicated line Communications line Communications line that is ITA/Jan 2003 
that is indefinitely indefinitely reserved for 
reserved for transmissions, rather than switched 
transmissions as transmission is required. See also 
leased line. 
default route Routing table entry Routing table entry that is used to ITA/Jan 2003 
that directs frames direct frames for which a next hop is 
without a next hop in not explicitly listed in the routing 
the routing table table. 
DEK data encryption of message | Used for the encryption of message ITA/Jan 2003 
encryption key | text and for the text and for the computation of 
computation of message integrity checks 
signatures (signatures). 
delay Time between a The time between the initiation of a ITA/Jan 2003 
sender transaction and | transaction by a sender and the first 
the first response response received by the sender. 
received by the sender | Also, the time required to move a 
packet from source to destination 
over a given path. 
demarc Demarcation point Demarcation point between carrier ITA/Jan 2003 
between carrier equipment and CPE. 
equipment and CPE 
demodulation Returning a modulated | Process of returning a modulated ITA/Jan 2003 
signal to its original signal to its original form. Modems 
form perform demodulation by taking an 
analog signal and returning it to its 
original (digital) form. 
demodulator Device for assembling Device for assembling signals after ITA/Jan 2003 


signals after they have 
been received by an 
antenna. 


they have been received by an 
antenna. A demodulator is typically 
the first major device downstream 
from an antenna receiving system 
and exists on the block diagram prior 
to various Cisco devices. The 
corresponding device on the 
transmission side of a system is a 
modulator. 
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demultiplexing Separating of multiple Separating of multiple input streams ITA/Jan 2003 
input streams from a that were multiplexed into a common 
common physical physical signal back into multiple 
signal back into output streams. See also 
multiple output multiplexing. 
streams 
demux demultiplexer Device that separates Device used to separate two or more | ITA/Jan 2003 
two or more signals signals that previously were 
that previously were combined by a compatible multiplexer 
combined by a and are transmitted over a single 
compatible multiplexer | channel. 
DES Data Standard Standard cryptographic algorithm ITA/Jan 2003 
Encryption cryptographic developed by the U.S. National 
Standard algorithm from the U.S. | Bureau of Standards. 
National Bureau of 
Standards. 
designated Bridge that incurs the Bridge that incurs the lowest path ITA/Jan 2003 
bridge lowest path cost when __| cost when forwarding a frame from a 
forwarding a frame to segment to the root bridge. 
the root bridge 
designated OSPF router that OSPF router that generates link-state | ITA/Jan 2003 
router generates link-state advertisements for a multi-access 
advertisements for a network and has other special 
multi-access network responsibilities in running OSPF. 
Each multi-access OSPF network 
that has at least two attached routers 
has a designated router that is 
elected by the OSPF Hello protocol. 
The designated router enables a 
reduction in the number of 
adjacencies required on a multi- 
access network, which in turn 
reduces the amount of routing 
protocol traffic and the size of the 
topological database. 
destination Address of a network Address of a network device that is ITA/Jan 2003 
address device that is receiving | receiving data. 
data 
D-H Diffie-Hellman The algorithm in the The Diffie-Hellman algorithm, ITA/Jan 2003 


first system to utilize 
"public-key" or 
"asymmetric" 
cryptographic keys 


introduced by Whitfield Diffie and 
Martin Hellman in 1976, was the first 
system to utilize "public-key" or 
"asymmetric" cryptographic keys. 
Today Diffie-Hellman is part of the 
IPSec standard. A protocol known as 
OAKLEY uses Diffie-Hellman, as 
described in RFC 2412. OAKLEY is 
used by the Internet Key Exchange 
(IKE) protocol (see RFC 2401), which 
is part of the overall framework called 
Internet Security Association and Key 
Management Protocol (ISAKMP; see 
RFC 2408). 
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dial backup Feature that provides _| Feature that provides protection BCRAN Mod6 
protection against against WAN downtime by allowing 
WAN downtime by the network administrator to configure 
allowing the network a backup serial line through a circuit- 
administrator to switched connection. 
configure a backup 
serial line through a 
circuit-switched 
connection. 
dial-up line Communications over Communications circuit that is ITA/Jan 2003 
a switched-circuit established by a switched-circuit 
connection using the connection using the telephone 
telephone company company network. 
network 
Dialer interface logical entity that uses | logical entity that uses a per- BCRAN Mod6 
a per-destination dialer | destination dialer profile. 
profile. 
Dialer profiles separate the “logical” . Profiles can define encapsulation, BCRAN Mod6 
configuration from the access control lists, minimum or 
interface receiving or maximum calls, and turn features on 
making calls. or off 
Diffie-Hellman A public key A public key cryptography protocol ITA/Jan 2003 
key exchange cryptography protocol that allows two parties to establish a 
that allows two parties | shared secret over insecure 
to establish a shared communications channels. Diffie- 
secret over insecure Hellman is used within Internet Key 
communications Exchange (IKE) to establish session 
channels keys. Diffie-Hellman is a component 
of Oakley key exchange. Cisco lOS 
software supports 768-bit and 1024- 
bit Diffie-Hellman groups. 
digital certificate Certificate document to | Certificate document in the form of a ITA/Jan 2003 
which is appended a digital data object (a data object used 
computed digital by a computer) to which is appended 
signature value a computed digital signature value 
that depends on the data object. 
digital envelope a combination of Digital envelope for a recipient is a ITA/Jan 2003 
encrypted content data | combination of (a) encrypted content 
and the content data (of any kind) and (b) the content 
encryption key in an encryption key in an encrypted form 
encrypted form that has been prepared for the use of 
the recipient. 
digital signature Value computed with a | Value computed with a cryptographic | ITA/Jan 2003 


cryptographic 
algorithm and 
appended to a data 
object to verify the 
data's origin and 
integrity 


algorithm and appended to a data 
object in such a way that any 
recipient of the data can use the 
signature to verify the data's origin 
and integrity. 
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distance vector Routing algorithms that | Class of routing algorithms that ITA/Jan 2003 
routing use the number of iterate on the number of hops in a 
algorithm hops to find a shortest- | route to find a shortest-path spanning 
path spanning tree tree. Distance vector routing 
algorithms call for each router to send 
its entire routing table in each update, 
but only to its neighbors. Distance 
vector routing algorithms can be 
prone to routing loops, but are 
computationally simpler than link- 
state routing algorithms. Also called 
Bellman-Ford routing algorithm. 
Distribution In a classic tree-and- The trunk is the backbone. The trunk | BCRAN 
network branch cable system, distributes signals throughout the Mod11 
trunk and feeder community being served. Typically 
cables comprise the uses 0.750-inch (19 mm) diameter 
distribution network. coaxial cable. The feeder branches 
off of the trunk, and passes all of the 
homes in the service area. Typically 
uses 0.500-inch (13 mm) diameter 
coaxial cable. 
DLCI data-link Value that specifies a Value that specifies a PVC or an SVC | ITA/Jan 2003 
connection PVC or an SVC ina in a Frame Relay network. In the 
identifier Frame Relay network basic Frame Relay specification, 
DLCls are locally significant. 
(Connected devices might use 
different values to specify the same 
connection.) In the LMI extended 
specification, DLCls are globally 
significant (DLClIs specify individual 
end devices). 
DMT discrete The official ANSI and The official ANSI and ITU standard BCRAN 
multitone ITU standard for for ADSL. Mod11 
ADSL. 
DNS Domain Name_ | System used on the System used on the Internet for ITA/Jan 2003 
System Internet for translating translating names of network nodes 
names of network into addresses. 
nodes into addresses. 
DOCSIS Data-over- Defines specific Defines technical specifications for ITA/Jan 2003 
Cable Service bandwidths for data equipment at both subscriber and BCRAN 
Interface signals (200kHz, locations and cable operators’ Mod11 
Specifications 400kHz, 800kHz, headends. Adoption of DOCSIS will 
1.6Mh and 3.2MHz), accelerate the deployment of data- 
which the cable over-cable services and will ensure 
operator can use. interoperability of equipment 
throughout system operators’ 
infrastructures. 
DOCSIS CM DOCSIS cable | DOCSIS cable modem | DOCSIS CMs obtain boot ITA/Jan 2003 
modem configuration using DHCP, Time, and 
TFTP client implementations. 
DOCSIS CMTS | DOCSIS cable | DOCSIS cable modem | The Cisco 7246 or 7223 router is a ITA/Jan 2003 
modem termination system leading router implementation of a 
termination DOCSIS CMTS 
system 
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DOCSIS File containing File containing configuration ITA/Jan 2003 
configuration file configuration parameters for a DOCSIS cable 
parameters for a modem. The cable modem obtains 
DOCSIS cable modem | this file at boot time using the TFTP 
protocol. 
dot address Common notation for Refers to the common notation for IP | ITA/Jan 2003 
IP addresses in the addresses in the form n.n.n.n where 
form n.n.n.n each number n represents, in 
decimal, 1 byte of the 4-byte IP 
address. Also called dotted notation 
and four-part dotted notation. 
dotted decimal Representation of IP Syntactic representation for a 32-bit ITA/Jan 2003 
notation addresses on the integer that consists of four 8-bit 
Internet numbers written in base 10 with 
periods (dots) separating them. Used 
to represent IP addresses on the 
Internet, as in 192.67.67.20. Also 
called dotted quad notation. 
DS downsteam RF signal flow from RF signal flow from headend toward BCRAN Mod1 
headend toward subscribers. Also called forward path. 
subscribers. Also 
called forward path. 
DSO digital service Single timeslot on a Single timeslot on a DS1 (also known =| ITA/Jan 2003 
zero (0) DS1 (also known as as T1) digital interface-that is, a 64- 
T1) digital interface kbps, synchronous, full-duplex data 
channel, typically used for a single 
voice connection on a PBX. 
DS-0 digital signal Framing for digital Framing specification used in ITA/Jan 2003 
level 0 signals over a single transmitting digital signals over a 
channel at 64-kbps on _| single channel at 64-kbps on a T1 
aT1 facility. facility. Compare with DS-1 and DS- 
3. 
DS1 digital service Interface with a 1.544- | Interface with a 1.544-Mbps data rate | ITA/Jan 2003 
1 Mbps data rate that that often carries voice interface 
often carries voice connections on a PBX. Each DS1 
interface connections (also known as T1) has 24 DSO 
ona PBX channels framed together so that 
each DSO timeslot can be assigned to 
a different type of trunk group, if 
desired. 
DS-1 digital signal Framing for digital Framing specification used in ITA/Jan 2003 
level 1 signals at 1.544-Mbps__| transmitting digital signals at 1.544- 
onaT/1 facility (in the Mbps ona T11 facility (in the United 
US) or at 2.108-Mbps States) or at 2.108-Mbps on an E1 
on an E1 facility (in facility (in Europe). Compare with DS- 
Europe). 0 and DS-3. See also E1 and T1. 
DS-3 digital signal Framing for digital Framing specification used for ITA/Jan 2003 
level 3 signals at 44.736 Mbps | transmitting digital signals at 44.736 


ona T3 facility. 


Mbps on a T3 facility. Compare with 
DS-0 and DS-1. See also E3 and 
T.120. 
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DSL digital Public network There are four types of DSL: ADSL, ITA/Jan 2003 
subscriber line. | technology that HDSL, SDSL, and VDSL. All are 
delivers high provisioned via modem pairs, with 
bandwidth over one modem located at a central office 
conventional copper and the other at the customer site. 
wiring at limited Because most DSL technologies do 
distances. not use the whole bandwidth of the 
twisted pair, there is room remaining 
for a voice channel. 
DSLAM digital A device for A device that connects many digital ITA/Jan 2003 
subscriber line | multiplexing the DSL subscriber lines to a network by 
access traffic onto one or multiplexing the DSL traffic onto one 
multiplexer more network trunk or more network trunk lines. 
lines 
DSn digital signal A classification of A classification of digital circuits. The ITA/Jan 2003 
level n digital circuits. DS technically refers to the rate and 
the format of the signal, whereas the 
T designation refers to the equipment 
providing the signals. In practice, DS 
and T are used synonymously; for 
example, DS1 and T1, DS3 and T3. 
DSR data setready | EIA/TIA-232 interface EIA/TIA-232 interface circuit that is ITA/Jan 2003 
circuit that is activated | activated when DCE is powered up 
when DCE is powered _ | and ready for use. 
up and ready for use. 
DSU data service data service unit Device used in digital transmission ITA/Jan 2003 
unit that adapts the physical interface on 
a DTE device to a transmission 
facility, such as T1 or E1. The DSU 
also is responsible for such functions 
as signal timing. Often referred to 
together with CSU, as CSU/DSU. 
DTE data terminal Device at the user end | Device at the user end of a user- ITA/Jan 2003 
equipment of a user-network network interface that serves as a 
interface that serves data source, destination, or both. 
as a data source, DTE connects to a data network 
destination, or both. through a DCE device (for example, a 
modem) and typically uses clocking 
signals generated by the DCE. DTE 
includes such devices as computers, 
protocol translators, and multiplexers. 
Compare with DCE . 
DTR data terminal data terminal ready EIA/TIA-232 circuit that is activated to | ITA/Jan 2003 
ready let the DCE know when the DTE is 
ready to send and receive data. 
dynamic routing Routing that adjusts Routing that adjusts automatically to ITA/Jan 2003 
automatically to network topology or traffic changes. 
network topology Also called adaptive routing. 
changes 
E1 Wide-area digital Wide-area digital transmission ITA/Jan 2003 


transmission scheme 
operating at 2.048 
Mbps 


scheme used predominantly in 
Europe that carries data at a rate of 
2.048 Mbps. E71 lines can be leased 
for private use from common carriers. 
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E3 European WAN Wide-area digital transmission ITA/Jan 2003 
transmission scheme scheme used predominantly in 
that carries data ata Europe that carries data at a rate of 
rate of 34.368 Mbps 34.368 Mbps. E3 lines can be leased 
for private use from common carriers. 
Compare with T.120. See also DS-3. 
EIA Electronic Group that specifies Group that specifies electrical ITA/Jan 2003 
Industries electrical transmission | transmission standards. The EIA and 
Alliance standards the TIA have developed numerous 
well-known communications 
standards, including EIA/TIA-232 and 
EIA/TIA-449. See also TIA. 
EIA/TIA-232 Common physical Common physical layer interface ITA/Jan 2003 
layer interface standard, developed by EIA and TIA 
standard for signal that supports unbalanced circuits at 
speeds of up to 64 signal speeds of up to 64 kbps. 
kbps Closely resembles the V.24 
specification. Formerly called RS- 
232. 
EIGRP Enhanced Advanced version of Advanced version of IGRP developed | ITA/Jan 2003 
Interior IGRP that provides by Cisco. Provides superior 
Gateway superior convergence convergence properties and 
Routing and efficiency operating efficiency, and combines 
Protocol the advantages of link-state protocols 
with those of distance vector 
protocols. 
encapsulation Wrapping of data ina Wrapping of data in a particular ITA/Jan 2003 
particular protocol protocol header. For example, 
header Ethernet data is wrapped in a specific 
Ethernet header before network 
transit. Also, when bridging dissimilar 
networks, the entire frame from one 
network is simply placed in the 
header used by the data-link layer 
protocol of the other network. 
encoder Device that modifies Device that modifies information into ITA/Jan 2003 
information into the the required transmission format. 
required transmission 
format. 
encryption Altering the Application of a specific algorithm to ITA/Jan 2003 
appearance of the data | data so as to alter the appearance of 
making it the data making it incomprehensible 
incomprehensible to to those who are not authorized to 
those who are not see the information. See also 
authorized to see the decryption. 
information 
encryption Public-key certificate Public-key certificate that contains a ITA/Jan 2003 
certificate that contains a public public key that is intended to be used 
key for encrypting data, rather than for 
verifying digital signatures or 
performing other cryptographic 
functions. 
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end-to-end Continuous encryption | Continuous protection of data that ITA/Jan 2003 
encryption protection of data that flows between two points ina 
flows between two network, provided by encrypting data 
points in a network, when it leaves its source, leaving it 
encrypted while it passes through any 
intermediate computers (Such as 
routers), and decrypting only when 
the data arrives at the intended 
destination. 
enterprise Large and diverse Large and diverse network ITA/Jan 2003 
network network connecting connecting most major points in a 
most major points ina | company or other organization. 
company or other : : cg 
organization Differs from a WAN in that it iS 
privately owned and maintained. 
ephemeral key A public key or a A public key or a private key that is ITA/Jan 2003 
private key that is relatively short-lived. 
relatively short-lived. 
ESP Encapsulating Security protocol that provides data 
Security privacy services, optional data 
Payload authentication, and antireplay 
services. ESP encapsulates the data 
to be protected. 
Ethernet Networks that use Baseband LAN specification invented | ITA/Jan 2003 
CSMA/CD and run by Xerox Corporation and developed 
over different cable jointly by Xerox, Intel, and Digital 
types Equipment Corporation. Ethernet 
networks use CSMA/CD and run over 
a variety of cable types at 10 Mbps. 
Ethernet is similar to the IEEE 802.3 
series of standards. 
EXEC Interactive command Interactive command processor of ITA/Jan 2003 
processor of Cisco IOS | Cisco IOS. 
Fast Ethernet 100-Mbps Ethernet Any of a number of 100-Mbps ITA/Jan 2003 
specification Ethernet specifications. Fast Ethernet 
offers a speed increase 10 times that 
of the 10BaseT Ethernet specification 
while preserving such qualities as 
frame format, MAC mechanisms, and 
MTU. Such similarities allow the use 
of existing 10BaseT applications and 
network management tools on Fast 
Ethernet networks. Based on an 
extension to the IEEE 802.3 
specification. 
FCS frame check Extra characters Extra characters added to a frame for | ITA/Jan 2003 
sequence added to a frame for error control purposes. Used in 
error control purposes HDLC, Frame Relay, and other data- 
link layer protocols. 
FDDI Fiber Standard specifying a LAN standard, defined by ANSI ITA/Jan 2003 
Distributed 100-Mbps token- X3T9.5, specifying a 100-Mbps 
Data Interface | passing network using | token-passing network using fiber- 
fiber-optic cable optic cable, with transmission 
distances of up to 2 km. FDDI uses a 
dual-ring architecture to provide 
redundancy. 
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FDM frequency- An RF transmission An RF transmission method in which BCRAN 
division method in which a a number of transmitters share a Mod11 
multiplexing number of transmitters | transmission medium. Each 
share a transmission transmitter occupies a different 
medium. Each frequency. 
transmitter occupies a 
different frequency. 
FEC forward error In data transmission, a | . It allows the receiver to determine if BCRAN 
correction process by which certain classes of errors have Mod11 
additional data is occurred in transmission and, in 
added that is derived some cases, allows other classes of 
from the payload by an | errors to be corrected. 
assigned algorithm. 
FECN forward explicit | Bit set by a Frame Bit set by a Frame Relay network to ITA/Jan 2003 
congestion Relay network to inform the DTE receiving the frame 
notification inform the receiving that congestion was experienced in 
DTE of network the path from source to destination. 
congestion DTE receiving frames with the FECN 
bit set can request that higher-level 
protocols take flow-control action as 
appropriate. 
FIFO First-in, first- Queuing is the classic With FIFO, transmission occurs in the | BCRAN Mod9 
out algorithm for packet same order as messages are 
transmission. received 
FIPS Federal A government security measurement 
Information standard that specifies four 
Processing increasing levels (from "Level 1" to 
Standards "Level 4") of requirements to cover a 
wide range of potential applications 
and environments. The requirements 
address such issues as basic design 
and documentation, module 
interfaces, authorized roles and 
services, physical security, software 
security, operating system security, 
key management, cryptographic 
algorithms, electromagnetic 
interference and electromagnetic 
compatibility (EMI/EMC), and self- 
testing. NIST and the Canadian 
Communication Security 
Establishment jointly certify modules. 
firewall A buffer device Router or access server, or several ITA/Jan 2003 


separating any 
connected public 
networks and a private 
network 


routers or access servers, designated 
as a buffer between any connected 
public networks and a private 
network. A firewall router uses access 
lists and other methods to ensure the 
security of the private network. 
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flash memory Special type of A special type of EEPROM that can ITA/Jan 2003 
EEPROM that can be be erased and reprogrammed in 
erased and blocks instead of one byte at a time. 
reprogrammed Many modern PCs have their BIOS 
stored on a flash memory chip so that 
it can be updated easily if necessary. 
Such a BIOS is sometimes called a 
flash BIOS. Flash memory is also 
popular in modems because it 
enables the modem manufacturer to 
support new protocols as they 
become standardized. 
flow control Technique for ensuring | Technique for ensuring that a ITA/Jan 2003 
that a transmitting transmitting entity, such as a modem, 
entity does not does not overwhelm a receiving entity 
overwhelm a receiving | with data. When the buffers on the 
entity with data. receiving device are full, a message 
is sent to the sending device to 
suspend the transmission until the 
data in the buffers has been 
processed. In IBM networks, this 
technique is called pacing. 
forwarding Sending a frame Process of sending a frame toward its | ITA/Jan 2003 
toward its end ultimate destination by way of an 
destination using an internetworking device. 
internetworking device 
frame Logical grouping of Logical grouping of information sent ITA/Jan 2003 
information sent as a as a data-link layer unit over a 
data-link layer unit transmission medium. Often refers to 
the header and the trailer, used for 
synchronization and error control that 
surround the user data contained in 
the unit. 
Frame Relay Switched data-link Industry-standard, switched data-link ITA/Jan 2003 
layer protocol that layer protocol that handles multiple 
handles multiple virtual | virtual circuits using HDLC 
circuits encapsulation between connected 
devices. Frame Relay is more 
efficient than X.25, the protocol for 
which it generally is considered a 
replacement. 
FRF.5 Function that allows Frame Relay-to-ATM Service 
Frame Relay traffic Interworking. Allows Frame Relay 
over an ATM network traffic to be transported through an 
ATM network. 
FRF.8 Function that allows Frame Relay-to-ATM Service ITA/Jan 2003 
Frame Relay and ATM | Interworking. Allows Frame Relay 
networks to exchange and ATM networks to exchange data 
data despite differing network protocols. 
FRTS Frame Relay Queueing method that | Data is buffered and sent into the ITA/Jan 2003 
traffic shaping uses queues on a network in regulated amounts to 


Frame Relay network 
to limit surges that can 
cause congestion. 


ensure that the traffic can fit within 
the promised traffic envelope for the 
particular connection. 
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FTP File Transfer A standard protocolin | A standard protocol in the TCP/IP BCRAN Mod9 
Protocol the TCP/IP suite of suite of protocols used to transfer 
protocols used to files from one device to another 
transfer files from one 
device to another 
full duplex Simultaneous data Capability for simultaneous data ITA/Jan 2003 
transmission between transmission between a sending 
sending and receiving station and a receiving station. 
stations 
full mesh Network topology, with | Term describing a network in which ITA/Jan 2003 
each network node devices are organized in a mesh 
having either a topology, with each network node 
physical circuit or a having either a physical circuit or a 
virtual circuit virtual circuit connecting it to every 
connecting it to every other network node. A full mesh 
other network node. provides a great deal of redundancy 
but because it can be prohibitively 
expensive to implement, it usually is 
reserved for network backbones. 
half duplex Capability for data Capability for data transmission in ITA/Jan 2003 
transmission in only only one direction at a time between 
one direction ata time | asending station and a receiving 
station. BSC is an example of a half- 
duplex protocol. 
HDB3 high density Line code type used 1. Zero suppression line coding used ITA/Jan 2003 
binary 3 on E1 circuits on E1 links. 
2. Line code type used on E1 circuits. 
HDLC high-level data | Bit-oriented Bit-oriented synchronous data-link ITA/Jan 2003 
link control synchronous data-link layer protocol developed by ISO. 
layer protocol Derived from SDLC, HDLC specifies 
a data encapsulation method on 
synchronous serial links using frame 
characters and checksums. 
HDSL high-data-rate One of four DSL Because HDSL provides T1 speed, ITA/Jan 2003 
digital technologies. HDSL telephone companies have been 
subscriber line | delivers 1.544 Mbps of | using HDSL to provision local access 
bandwidth each way to T1 services whenever possible. 
over two copper The operating range of HDSL is 
twisted pairs. limited to 12,000 feet (3658.5 
meters), so signal repeaters are 
installed to extend the service 
headend Somewhat analogous A facility where signals are received, BCRAN 
to a central office of a processed, formatted, and combined Mod11 
telephone company. for transmission on the distribution 
network. 
header Control information Control information placed before ITA/Jan 2003 
placed before data data when encapsulating that data for 
during encapsulation network transmission. 
HFC hybrid fiber- Cable technology Technology being developed by the ITA/Jan 2003 
coaxial using a combination of | cable TV industry to provide two-way, 


fiber optics and 
traditional coaxial 
cable 


high-speed data access to the home 
using a combination of fiber optics 
and traditional coaxial cable. 
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hierarchical Addressing scheme Scheme of addressing that uses a ITA/Jan 2003 
addressing that uses a logical logical hierarchy to determine 
hierarchy to determine | location. For example, IP addresses 
location consist of network numbers, subnet 
numbers, and host numbers, which IP 
routing algorithms use to route the 
packet to the appropriate location. 
hierarchical Network hierarchy that | The complex problem of routing on ITA/Jan 2003 
routing solves the problem of large networks can be simplified by 
routing on large reducing the size of the networks. 
networks This is accomplished by breaking a 
network into a hierarchy of networks, 
where each level is responsible for its 
own routing. 
HMAC Hash-based A mechanism for HMAC is a mechanism for message ITA/Jan 2003 
Message message authentication using cryptographic 
Authentication | authentication using hash functions. HMAC can be used 
Code cryptographic hash with any iterative cryptographic hash 
functions function, for example, MD5, SHA-1, in 
combination with a secret shared key. 
The cryptographic strength of HMAC 
depends on the properties of the 
underlying hash function. 
HMAC-MD5 Hashed A keyed version of A keyed version of MD5 based on ITA/Jan 2003 
Message MD5 based on RFC RFC 2104 that enables two parties to 
Authentication | 2104 validate transmitted information using 
Codes with a shared secret. 
MD5 
hop Passage of a data Passage of a data packet between ITA/Jan 2003 
packet between two two network nodes (for example, 
network nodes between two routers). 
hop count Routing metric that Routing metric used to measure the ITA/Jan 2003 
measures the distance | distance between a source anda 
between a source and _ | destination. RIP uses hop count as its 
a destination sole metric. 
host Computer system ona | Computer system on a network. ITA/Jan 2003 
network Similar to node, except that host 
usually implies a computer system, 
whereas node generally applies to 
any networked system, including 
access servers and routers. 
host name Name given toa Name given to a machine. ITA/Jan 2003 
machine 
HTTP Hypertext The protocol used by The protocol used by Web browsers ITA/Jan 2003 
Transfer Web browsers and and Web servers to transfer files, 
Protocol Web servers to such as text and graphic files. 
transfer files, such as 
text and graphic files. 
hybrid Combination of two or | Application of cryptography that ITA/Jan 2003 
encryption more encryption combines two or more encryption 


algorithms 


algorithms, particularly a combination 
of symmetric and asymmetric 
encryption. 
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ICMP Internet Network layer protocol | Network layer Internet protocol that ITA/Jan 2003 
Control that reports IP packet reports errors and provides other 
Message processing errors information relevant to IP packet 
Protocol processing. Documented in RFC 792. 
IDS Intrusion An IDS is a security countermeasure. | BCRAN 
Detection It monitors traffic and events looking Mod11 
System for signs of intruders. A host-based 
IDS monitors system events, log files, 
and so on. A network-based IDS 
monitors network traffic, usually 
promiscuously. Being replaced with 
IPS, Intrusion Protection System. 
IEEE Institute of Professional Professional organization whose ITA/Jan 2003 
Electrical and organization that activities include the development of 
Electronics develops network communications and network 
Engineers standards standards. IEEE LAN standards are 
the predominant LAN standards 
today. 
IEEE 802.1 Specification of an IEEE specification that describes an ITA/Jan 2003 
algorithm that prevents | algorithm that prevents bridging loops 
bridging loops by by creating a spanning tree. The 
creating a spanning algorithm was invented by Digital 
tree Equipment Corporation. The Digital 
algorithm and the IEEE 802.1 
algorithm are not exactly the same, 
nor are they compatible. 
IEEE 802.3 LAN protocol that IEEE LAN protocol that specifies an ITA/Jan 2003 
specifies the physical implementation of the physical layer 
and MAC sublayers of | and the MAC sublayer of the data-link 
the data-link layer layer. IEEE 802.3 uses CSMA/CD 
access at a variety of speeds over a 
variety of physical media. Extensions 
to the IEEE 802.3 standard specify 
implementations for Fast Ethernet. 
IETF Internet Internet standards task | Task force consisting of over 80 ITA/Jan 2003 
Engineering force working groups responsible for 
Task Force developing Internet standards. 
IGP Interior Protocol used to Internet protocol used to exchange ITA/Jan 2003 
Gateway exchange routing routing information within an 
Protocol information within an autonomous system. Examples of 
autonomous system common Internet IGPs include IGRP, 
OSPF, and RIP. 
IGRP Interior Protocol that IGP developed by Cisco to address ITA/Jan 2003 
Gateway addresses routing the issues associated with routing in 
Routing issues in large, large, heterogeneous networks. 
Protocol heterogeneous 
networks 
IKE Internet Key A shared security IKE establishes a shared security ITA/Jan 2003 


Exchange 


policy of authenticated 
key exchanges for 
IPSec 


policy and authenticates keys for 
services (such as IPSec) that require 
keys. Before any IPSec traffic can be 
passed, each router/firewall/host 
must verify the identity of its peer. 
This can be done by manually 
entering pre-shared keys into both 
hosts or by a CA service. 
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Ingress noise Over-the-air signals Over-the-air signals that are coupled BCRAN 
that are coupled into into the nominally closed coaxial Mod11 
the nominally closed cable distribution system, generally 
coaxial cable via damaged cable or other network 
distribution system, components, poorly shielded TVs and 
generally via damaged | VCRs. Difficult to track down and 
cable or other network | intermittent in nature. 
components, poorly 
shielded TVs and 
VCRs. Difficult to track 
down and intermittent 
in nature. 
internet Short for internetwork Short for internetwork. Not to be ITA/Jan 2003 
confused with the Internet. 
Internet Largest global Largest global internetwork, ITA/Jan 2003 
internetwork connecting tens of thousands of 
networks worldwide and having a 
“culture” that focuses on research 
and standardization based on real-life 
use. Many leading-edge network 
technologies come from the Internet 
community. The Internet evolved in 
part from ARPANET. At one time, 
called the DARPA Internet. 
internetwork Collection of networks Collection of networks interconnected | ITA/Jan 2003 
that functions as a by routers and other devices that 
single network functions (generally) as a single 
network. Sometimes called an 
internet, which is not to be confused 
with the Internet. 
internetworking Term that refers to General term used to refer to the ITA/Jan 2003 
connecting networks industry devoted to connecting 
together networks together. The term can refer 
to products, procedures, and 
technologies. 
Inverse ARP Inverse Method of building Method of building dynamic routes in ITA/Jan 2003 
Address dynamic routes in a a network. Allows an access server to 
Resolution network discover the network address of a 
Protocol device associated with a virtual 
circuit. 
IP Internet Protocol that offers a Network layer protocol in the TCP/IP ITA/Jan 2003 
Protocol connectionless stack offering a connectionless 


internetwork service 


internetwork service. IP provides 
features for addressing, type-of- 
service specification, fragmentation 
and reassembly, and security. 
Defined in RFC 791. 
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IP address 


Expansion of 
Acronym 


Short Definition for 
Mouseover 


32-bit address 
assigned to hosts 
using TCP/IP 


Definition of Acronym or Term 


32-bit address assigned to hosts 
using TCP/IP. An IP address belongs 
to one of five classes (A, B, C, D, or 
E) and is written as 4 octets 
separated by periods (dotted decimal 
format). Each address consists of a 
network number, an optional 
subnetwork number, and a host 
number. The network and subnetwork 
numbers together are used for 
routing, and the host number is used 
to address an individual host within 
the network or subnetwork. A subnet 
mask is used to extract network and 
subnetwork information from the IP 
address. CIDR provides a new way of 
representing IP addresses and 
subnet masks. Also called an Internet 
address. 


Source for 
Definition 


ITA/Jan 2003 


IP spoofing 


IP spoofing attack 
where an attacker 
outside your network 
pretends to be a 
trusted user 


IP spoofing attack occurs when an 
attacker outside your network 
pretends to be a trusted user either 
by using an IP address that is within 
the range of IP addresses for your 
network or by using an authorized 
external IP address that you trust and 
to which you want to provide access 
to specified resources on your 
network. Should an attacker get 
access to your IPSec security 
parameters, that attacker can 
masquerade as the remote user 
authorized to connect to the 
corporate network. 


ITA/Jan 2003 


IPCP 


IP Control 
Protocol 


Protocol controlling IP 
over PPP 


Protocol that establishes and 
configures IP over PPP. See also IP 
and PPP. 


ITA/Jan 2003 


IPSec 


IP Security 


Open standards that 
provides data 
confidentiality, data 
integrity, and data 
authentication between 
participating peers. 


A framework of open standards that 
provides data confidentiality, data 
integrity, and data authentication 
between participating peers. IPSec 
provides these security services at 
the IP layer. IPSec uses IKE to 
handle the negotiation of protocols 
and algorithms based on local policy 
and to generate the encryption and 
authentication keys to be used by 
IPSec. IPSec can protect one or more 
data flows between a pair of hosts, 
between a pair of security gateways, 
or between a security gateway and a 
host. 


ITA/Jan 2003 


IPSO 


IP Security 
Option 


Specification that 
defines an optional 
security field in the IP 
packet header 


U.S. government specification that 
defines an optional field in the IP 
packet header that defines 
hierarchical packet security levels on 
a per interface basis. 


ITA/Jan 2003 
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IPv6 IP version 6 Replacement for IP version 4. IPv6 BCRAN 
includes support for flow ID in the Mod10 
packet header, which can be used to 
identify flows. Formerly called IPng 
(next generation). 
IPX Internetwork NetWare network layer (Layer 3) ITA/Jan 2003 
Packet protocol used for transferring data 
Exchange from servers to workstations. IPX is 
similar to IP and XNS. 
ISAKMP Internet Internet IPSec protocol | Internet IPSec protocol [RFC 2408] ITA/Jan 2003 
Security [RFC 2408] that that negotiates, establishes, modifies, 
Association negotiates, and deletes security associations. It 
and Key establishes, modifies, also exchanges key generation and 
Management and deletes security authentication data (independent of 
Protocol associations the details of any specific key 
generation technique), key 
establishment protocol, encryption 
algorithm, or authentication 
mechanism. 
ISDN Integrated Protocol that permits Communication protocol offered by ITA/Jan 2003 
Services telephone networks to telephone companies that permits 
Digital Network | carry data, voice, and telephone networks to carry data, 
other traffic voice, and other source traffic. 
IS-IS Intermediate Routing protocol OSI link-state hierarchical routing ITA/Jan 2003 
System-to- whereby routers protocol based on DECnet Phase V 
Intermediate exchange information routing, whereby ISs (routers) 
System based on a single exchange routing information based 
metric on a single metric to determine 
network topology. 
ISL Inter-Switch Protocol that maintains | Cisco-proprietary protocol that ITA/Jan 2003 
Link VLAN information maintains VLAN information as traffic 
between switches and _ | flows between switches and routers. 
routers 
ISP Internet Company that provides | Company that provides Internet ITA/Jan 2003 
service Internet access to access to other companies and 
providers other companies and individuals. 
individuals. 
ITU International UN organization that An organization established by the ITA/Jan 2003 
Telecommunic | sets international United Nations to set international 
ation Union telecommunications telecommunications standards and to 
standards allocate frequencies for specific uses. 
ITU-T International The process for Defines the process for sending data BCRAN Mod7 
Telecommunic | sending data over a over a public data network. 
ation Union public data network 
Telecommunic 
ation 
Standardizatio 
n Sector 
jitter Interpacket delay The interpacket delay variance; that ITA/Jan 2003 
variance is, the difference between interpacket 
arrival and departure. Jitter is an 
important QoS metric for voice and 
video applications. 
kbps kilobits per Bit rate expressed in A bit rate expressed in thousands of ITA/Jan 2003 
second thousands of bits per bits per second. 
second. 
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keepalive Time between Period of time between each ITA/Jan 2003 
interval expected keepalive keepalive message sent by a network 
message device. 
keepalive Message to show that Message sent by one network device | ITA/Jan 2003 
message a virtual circuit to inform another network device that 
between the two the virtual circuit between the two is 
devices is still active. still active. 
key distribution Delivery of a Process that delivers a cryptographic | ITA/Jan 2003 
generated key from the location where it is 
cryptographic key to generated to the locations where it is 
the locations where it used in a cryptographic algorithm. 
is used 
key establishment (algorithm or 
protocol) 
Process that combines the key 
generation and key distribution steps 
needed to set up or install a secure 
communication association. 
key pair Set of mathematically Set of mathematically related keys-a ITA/Jan 2003 
related keys public key and a private key-that are 
used for asymmetric cryptography 
and are generated in a way that 
makes it computationally infeasible to 
derive the private key from 
knowledge of the public key. 
key recovery Learning the value of a | 1. Process for learning the value of a ITA/Jan 2003 
cryptographic key that | cryptographic key that previously was 
previously was used used to perform some cryptographic 
operation. 
2. Techniques that provide an 
intentional, alternate (that is, 
secondary) means to access the key 
used for data confidentiality service in 
an encrypted association. 
LAN local-area High-speed, low-error High-speed, low-error data network ITA/Jan 2003 
network data network covering covering a relatively small geographic 
a small geographic area (up to a few thousand meters). 
area LANs connect workstations, 
peripherals, terminals, and other 
devices in a single building or other 
geographically limited area. LAN 
standards specify cabling and 
signaling at the physical and data-link 
layers of the OSI model. Ethernet, 
FDDI, and Token Ring are widely 
used LAN technologies. 
LAN switch High-speed switch that | High-speed switch that forwards ITA/Jan 2003 


forwards packets 
between data-link 
segments 


packets between data-link segments. 
Most LAN switches forward traffic 
based on MAC addresses. This 
variety of LAN switch is sometimes 
called a frame switch. LAN switches 
often are categorized according to the 
method they use to forward traffic: 
cut-through packet switching or store- 
and-forward packet switching. 
Multilayer switches are an intelligent 
subset of LAN switches. 
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LAPB Link Access Data link layer protocol | LAPB is a bit-oriented protocol ITA/Jan 2003 
Procedure, in the X.25 protocol derived from HDLC. 
Balanced stack 
LAPD Link Access ISDN data link layer LAPD was derived from the LAPB ITA/Jan 2003 
Procedure on protocol for the protocol and is designed primarily to 
the D channel D channel. satisfy the signaling requirements of 
ISDN basic access. Defined by ITU-T 
Recommendations Q.920 and Q.921. 
latency Delay between the 1. Delay between the time a device ITA/Jan 2003 
time a device requests | requests access to a network and the 
network access and time it is granted permission to 
the time it is granted transmit. 
permission to transmit. 
2. Delay between the time a device 
receives a frame and the time that 
frame is forwarded out the destination 
port. 
LCP link control Protocol that Protocol that establishes, configures, ITA/Jan 2003 
protocol establishes, and tests data-link connections for 
configures, and tests use by PPP. 
PPP connections 
LCV line code WAN line error event Occurrence of a BPV or EXZ error ITA/Jan 2003 
violation event. 
learning bridge Bridge that performs Bridge that performs MAC address ITA/Jan 2003 
MAC address learning | learning to reduce traffic on the 
network. Learning bridges manage a 
database of MAC addresses and the 
interfaces associated with each 
address. 
leased line Transmission line Transmission line reserved by a ITA/Jan 2003 
reserved for the private | communications carrier for the private 
use of a customer use of a customer. A leased line is a 
type of dedicated line. 
LFl Link On low-speed serial links, a large BCRAN 
Fragmentation packet can cause latency for smaller Mod10 
and packets, such as voice packets. 
Interleaving Developed primarily for links running 
at 768 kbps or less, link-level 
fragmentation can prevent increased 
latency (and jitter) by dividing the 
large data packets into smaller pieces 
and interleaving voice packets within 
those fragments. Link Fragmentation 
and Interleaving for MLP has the 
same benefits as FRF.12 except over 
links running PPP encapsulation. The 
feature complies with RFC 1717. 
line card Any I/O card that can Any I/O card that can be inserted ina | ITA/Jan 2003 
be inserted ina modular chassis. 
modular chassis 
line code type Coding schemes used | One of anumber of coding schemes ITA/Jan 2003 


on serial lines to 
maintain data integrity 
and reliability 


used on serial lines to maintain data 
integrity and reliability. The line code 
type used is determined by the carrier 
service provider. See also AMI, 
B8ZS, and HDB3. 
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Acronym or 
Term 


link-state 
routing 
algorithm 


Expansion of 
Acronym 


Short Definition for 
Mouseover 


Routing algorithm 
where each router 
broadcasts information 
about each neighbor to 
all network nodes 


Definition of Acronym or Term 


Routing algorithm in which each 
router broadcasts or multicasts 
information regarding the cost of 
reaching each of its neighbors to all 
nodes in the internetwork. Link-state 
algorithms create a consistent view of 
the network and therefore are not 
prone to routing loops; however, they 
achieve this at the cost of relatively 
greater computational difficulty and 
more widespread traffic (compared 
with distance vector routing 
algorithms). 


Source for 
Definition 


ITA/Jan 2003 


LLQ 


Low Latency 
Queuing 


LLQ provides strict 
priority queuing for 
Class-Based Weighted 
Fair Queuing 
(CBWFQ), reducing 
jitter in voice 
conversations. 


Strict priority queuing gives delay- 
sensitive data, such as voice, 
preferential treatment over other 
traffic. With this feature, delay- 
sensitive data is sent first, before 
packets in other queues are treated. 
Low Latency Queuing is also called 
PQ/CBWFQ because it is a 
combination of the two techniques. 


BCRAN Mod9 


LMDS 


Local 
Multipoint 
Distribution 
Service 


A relatively low-power license for 
broadcasting voice, video, and data. 
There are typically two licenses 
granted in three frequencies, each to 
separate entities within a BTA. These 
licenses are known as Block A or 
Block B licenses. Block A licenses 
operate from 27.5 to 28.35 GHz, 
29.10 to 29.25 GHz, and 31.075 to 
31.225 GHz for a total of 1.159 MHz 
of bandwidth. Block B licenses 
operate from 31.00 to 31.075 GHz 
and 31.225 to 31.300 for a total of 
150 MHz of bandwidth. LMDS 
systems have a typical maximum 
transmission range of approximately 
3 miles as opposed to the 
transmission range of an MMDS 
system, which is typically 25 miles. 
This difference in range is primarily a 
function of physics and FCC- 
allocated output power rates. 


ITA/Jan 2003 


LMI 


Local 
Management 
Interface 


Frame Relay feature 
that supports 
keepalive, multicast, 
and status 
mechanisms 


Set of enhancements to the basic 
Frame Relay specification. LMI 
includes support for a keepalive 
mechanism, which verifies that data 
is flowing; a multicast mechanism, 
which provides the network server 
with its local DLCI and the multicast 
DLCI; global addressing, which gives 
DLCls global rather than local 
significance in Frame Relay 
networks; and a status mechanism, 
which provides an on-going status 
report on the DLCls known to the 
switch. 


ITA/Jan 2003 


local loop 


Line from phone 
subscriber to the 
central office. 


Line from the premises of a telephone 
subscriber to the telephone company 
Co. 


ITA/Jan 2003 
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LOF loss of frame loss of frame on a LOF is a generic term with various ITA/Jan 2003 
WAN signal for a given | meanings depending on the signal 
interval standards domain in which it's being 
used. 
A SONET port status indicator that 
activates when an LOF defect occurs 
and does not clear for an interval of 
time equal to the alarm integration 
period, which is typically 2.5 seconds. 
LOS loss of signal A loss of signal A loss of signal occurs when n ITA/Jan 2003 
indicated by consecutive zeros is detected on an 
consecutive zeros incoming signal. 
LSA link-state Link-state broadcast Broadcast packet used by link-state ITA/Jan 2003 
advertisement | packet with information | protocols that contains information 
about neighbors and about neighbors and path costs. 
path costs LSAs are used by the receiving 
routers to maintain their routing 
tables. 
MAC Media Access Lower sublayer of the Lower of the two sublayers of the ITA/Jan 2003 
Control data-link layer defined data-link layer defined by the IEEE. 
by the IEEE The MAC sublayer handles access to 
shared media, such as whether token 
passing or contention will be used. 
MAC address Data-link layer address | Standardized data-link layer address ITA/Jan 2003 
required for every port | that is required for every port or 
or device on a LAN device that connects to a LAN. Other 
devices in the network use these 
addresses to locate specific ports in 
the network and to create and update 
routing tables and data structures. 
MAC addresses are 6 bytes long and 
are controlled by the IEEE. Also 
known as a hardware address, MAC- 
layer address, and physical address. 
MAC address Service in which the Service that characterizes a learning ITA/Jan 2003 
learning source MAC address bridge, in which the source MAC 
of each received address of each received packet is 
packet is stored stored so that future packets destined 
for that address can be forwarded 
only to the bridge interface on which 
that address is located. Packets 
destined for unrecognized addresses 
are forwarded out every bridge 
interface. This scheme helps 
minimize traffic on the attached 
LANs. MAC address learning is 
defined in the IEEE 802.1 standard. 
MAN metropolitan- Network that spans a Network that spans a metropolitan ITA/Jan 2003 
area network metropolitan area. area. Generally, a MAN spans a 
larger geographic area than a LAN, 
but a smaller geographic area than a 
WAN. Compare with LAN and WAN. 
man-in-the- Active wiretapping Form of active wiretapping attack in ITA/Jan 2003 
middle attack in which the which the attacker intercepts and 


attacker intercepts and 
selectively modifies 
communicated data 


selectively modifies communicated 
data to masquerade as one or more 
of the entities involved in a 
communication association. 
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map class defines specific defines specific characteristics for a BCRAN Mod6 
characteristics for a call to a specified dial string. 
call to a specified dial 
string. 
Mbps megabits per Bit rate expressed in A bit rate expressed in millions of 
second millions of binary bits binary bits per second. 
per second 
MD5 Message One-way hashing A one-way hashing algorithm that ITA/Jan 2003 
Digest 5 algorithm that produces a 128-bit hash. Both MD5 
produces a 128-bit and Secure Hash Algorithm (SHA) 
hash are variations on MD4 and are 
designed to strengthen the security of 
the MD4 hashing algorithm. Cisco 
uses hashes for authentication within 
the IPSec framework. Also used for 
message authentication in SNMP v.2. 
MD5 verifies the integrity of the 
communication, authenticates the 
origin, and checks for timeliness. See 
also SNMP2. 
mesh Topology in which Network topology in which devices ITA/Jan 2003 
devices are organized are organized in a manageable, 
with many, often segmented manner with many, often 
redundant, redundant, interconnections 
interconnections strategically placed between network 
nodes. See also full mesh and partial 
mesh. 
MICA Modem ISDN Modem module and Modem module and card used in the ITA/Jan 2003 
channel card used in the Cisco | Cisco AS5300 universal access 
aggregation AS5300 universal servers. A MICA modem provides an 
access servers. interface between an incoming or 
outgoing digital call and an ISDN 
telephone line; the call does not have 
to be converted to analog as it does 
with a conventional modem and an 
analog telephone line. Each line can 
accommodate, or aggregate, up to 24 
(T1) or 30 (E1) calls. 
MLP Multilink PPP Protocol that splits, This protocol is a method of splitting, ITA/Jan 2003 
recombines, and recombining, and sequencing 
sequences datagrams | datagrams across multiple logical 
data links. 
MMDS Multichannel MMDS is composed of as many as ITA/Jan 2003 
Multipoint 33 discrete channels, which are 
Distribution transmitted in a pseudorandom order 
Service between the transmitters and the 
receivers. The FCC-allocated two 
bands of frequencies for each BTA 
are 2.15 to 2.161 GHz and 2.5 to 
2.686 GHz. 
modem modulator- Device that converts Device that converts digital and ITA/Jan 2003 
demodulator digital and analog analog signals. At the source, a 
signals modem converts digital signals to a 
form suitable for transmission over 
analog communication facilities. At 
the destination, the analog signals 
are returned to their digital form. 
Modems allow data to be transmitted 
over voice-grade telephone lines. 
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modem Connection of two DTE | Device allowing the connection of two | ITA/Jan 2003 
eliminator devices without DTE devices without modems. 
modems 
modulation Process to transform Process by which the characteristics ITA/Jan 2003 
electrical signals to of electrical signals are transformed 
represent information to represent information. Types of 
modulation include AM, FM, and 
PAM. See also AM, FM, and PAM. 

MPPC Microsoft Allows Cisco routers to | MPPC uses an LZ-based BCRAN Mod9 
Point-to-Point exchange compressed | compression mechanism. Use MPPC 
Compression data with Microsoft when exchanging data with a host 

clients using MPPC across a WAN link. 

MSO Multiple Big companies that Big companies that operate multiple BCRAN 
system operate multiple systems Mod11 
operators systems 

multilayer Switch that filters and Switch that filters and forwards ITA/Jan 2003 

switch forwards packets packets based on MAC addresses 

based on MAC and network addresses. A subset of 
network addresses LAN switch. 

multiplexing Multiple logical signals | Scheme that allows multiple logical ITA/Jan 2003 

transmitted signals to be transmitted 
simultaneously across | simultaneously across a single 
a single physical physical channel. Compare with 
channel. demultiplexing. 

name server Server that resolves Server connected to a network that ITA/Jan 2003 

network names into resolves network names into network 
network addresses addresses. 

NAT Network Mechanism that Mechanism for reducing the need for | ITA/Jan 2003 
Address reduces the need for globally unique IP addresses. NAT 
Translation globally unique IP allows an organization with 

addresses addresses that are not globally 
unique to connect to the Internet by 
translating those addresses into 
globally routable address space. 

NBMA nonbroadcast Multiaccess network Term describing a multi-access ITA/Jan 2003 
multiaccess that does not support network that either does not support 

broadcasting broadcasting (such as X.25) or in 
which broadcasting is not feasible (for 
example, an SMDS broadcast group 
or an extended Ethernet that is too 
large). 

NBS National Organization that was part of the U.S. | ITA/Jan 2003 
Bureau of Department of Commerce. Now 
Standards known as NIST. See also NIST . 

NCP Network Protocols that Series of protocols for establishing ITA/Jan 2003 
Control establish and configure | and configuring different network 
Protocol different network layer | layer protocols, such as for AppleTalk 

protocols over PPP. 

neighboring In OSPF, two routers In OSPF, two routers that have ITA/Jan 2003 

routers that have interfaces to | interfaces to a common network. On 


a common network 


multi-access networks, neighbors are 
discovered dynamically by the OSPF 
Hello protocol. 
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network Network layer address | Network layer address referring to a ITA/Jan 2003 
address referring to a logical logical, rather than a physical, 
network device network device. 
network Systems or actions Generic term used to describe ITA/Jan 2003 
management that help maintain or systems or actions that help maintain, 
troubleshoot a network | characterize, or troubleshoot a 
network. 
NIC network Board that provides Board that provides network ITA/Jan 2003 
interface card network communication capabilities to and 
communication with a from a computer system. Also called 
computer system an adapter. 
NIST National U.S. government organization that 
Institute of supports and catalogs a variety of 
Standards and standards. Formerly the NBS. See 
Technology also NBS. 
N-ISDN Narrowband ISDN standard for 64- Communication standards developed | ITA/Jan 2003 
ISDN kbps B channels and by the ITU-T for baseband networks. 
16- or 64-kbps D Based on 64-kbps B channels and 
channels. 16- or 64-kbps D channels. Contrast 
with BISDN. See also BRI, ISDN, and 
PRI. 
NNI Network-to- Describes how the Describe how the ATM and Frame BCRAN Mod7 
Network ATM and Frame Relay | Relay networks of different service 
Interface networks of different providers connect to each other. 
service providers 
connect to each other 
nonce Random or non- Random or non-repeating value that ITA/Jan 2003 
repeating value is included in data exchanged by a 
protocol, usually for the purpose of 
guaranteeing liveness and thus 
detecting and protecting against 
replay attacks. 
NT-1 network An ISDN device In ISDN, a device that provides the ITA/Jan 2003 
termination 1 interfacing customer interface between customer premises 
premises equipment equipment and central office 
and central office switching equipment. 
equipment. 
NTSC National North American TV Uses a 6-MHz-wide modulated BCRAN 
Television technical standard, signal. Mod11 
Systems named after the 
Committee. organization that 
created it in 1941. 
NVRAM nonvolatile RAM that retains its RAM that retains its contents when a ITA/Jan 2003 
RAM contents when the unit is powered off. 
power is off 
OAKLEY Key establishment Key establishment protocol (proposed | ITA/Jan 2003 


protocol 


for IPsec but superseded by IKE) 
based on the Diffie-Hellman algorithm 
and designed to be a compatible 
component of ISAKMP. 
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Acronym or 
Term 


OIR 


Expansion of 
Acronym 


online insertion 
and removal 


Short Definition for 
Mouseover 


Feature that permits 
the card replacement 
without interrupting the 
power 


Definition of Acronym or Term 


Feature that permits the addition, the 
replacement, or the removal of cards 
without interrupting the system 
power, entering console commands, 
or causing other software or 
interfaces to shutdown. Sometimes 
called hot swapping or power-on 
servicing. 


Source for 
Definition 


ITA/Jan 2003 


one-way 
encryption 


Irreversible 
transformation of 
plaintext to ciphertext 


Irreversible transformation of plaintext 
to ciphertext, such that the plaintext 
cannot be recovered from the 
ciphertext by other than exhaustive 
procedures even if the cryptographic 
key is known. 


ITA/Jan 2003 


ones density 


Scheme that allows a 
CSU/DSU to recover 
the data clock reliably 


Scheme that allows a CSU/DSU to 
recover the data clock reliably. The 
CSU/DSU derives the data clock from 
the data that passes through it. To 
recover the clock, the CSU/DSU 
hardware must receive at least one 1 
bit value for every 8 bits of data that 
pass through it. Also called pulse 
density. 


ITA/Jan 2003 


OSI reference 
model 


Open System 
Interconnectio 
n reference 
model 


Network architectural 
model developed by 
ISO and ITU-T 


Network architectural model 
developed by ISO and ITU-T. The 
model consists of seven layers, each 
of which specifies particular network 
functions, such as addressing, flow 
control, error control, encapsulation, 
and reliable message transfer. The 
lowest layer (the physical layer) is 
closest to the media technology. The 
lower two layers are implemented in 
hardware and software whereas the 
upper five layers are implemented 
only in software. The highest layer 
(the application layer) is closest to the 
user. 


ITA/Jan 2003 


OSPF 


Open Shortest 
Path First 


Link-state, hierarchical 
IGP routing algorithm 


Link-state, hierarchical IGP routing 
algorithm proposed as a successor to 
RIP in the Internet community. OSPF 
features include least-cost routing, 
multipath routing, and load balancing. 
OSPF was derived from an early 
version of the IS-IS protocol. 


ITA/Jan 2003 


packet 


Information that 
includes a header with 
control information 


Logical grouping of information that 
includes a header containing control 
information and (usually) user data. 
Packets most often are used to refer 
to network layer units of data. 


ITA/Jan 2003 


packet 
switching 


Method in which nodes 
share bandwidth with 
each other 


Networking method in which nodes 
share bandwidth with each other by 
sending packets. Compare with 
circuit switching and message 
switching. 


ITA/Jan 2003 
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Acronym or 
Term 


PAL 


Expansion of 
Acronym 


Phase 
Alternating 
Line. 


Short Definition for 
Mouseover 


This TV system is 
used in most of 
Europe, Asia, Africa, 
Australia, Brazil, and 
Argentina. 


Definition of Acronym or Term 


The color difference signals alternate 
phase at the horizontal line rate. 
Utilizes a 6 MHz, 7 MHz or 8 MHz 
wide modulated signal, depending on 
PAL version. 


Source for 
Definition 


BCRAN 
Mod11 


PAP 


Password 
Authentication 
Protocol 


Authentication protocol 
between PPP peers 


Authentication protocol that allows 
PPP peers to authenticate one 
another. The remote router 
attempting to connect to the local 
router is required to send an 
authentication request. Unlike CHAP, 
PAP passes the password and the 
host name or username in the clear 
(unencrypted). PAP does not itself 
prevent unauthorized access but 
merely identifies the remote end. The 
router or access server then 
determines whether that user is 
allowed access. PAP is supported 
only on PPP lines. 


ITA/Jan 2003 


partial mesh 


Network where some 
nodes are in a full 
mesh and some are 
connected to one or 
two other nodes 


Network in which devices are 
organized in a mesh topology with 
some network nodes organized in a 
full mesh but others that are 
connected only to one or two other 
nodes in the network. A partial mesh 
does not provide the level of 
redundancy of a full mesh topology 
but is less expensive to implement. 
Partial mesh topologies generally are 
used in the peripheral networks that 
connect to a fully meshed backbone. 


password 


Secret data value for 
authentication 


Secret data value, usually a character 
string that is used as authentication 
information. 


ITA/Jan 2003 


password 
sniffing 


Passive wiretapping to 
get passwords 


Passive wiretapping, usually on a 
local-area network, to gain knowledge 
of passwords. 


ITA/Jan 2003 


PAT 


port address 
translation 


Translation method 
that allows source 
ports to be translated 


Translation method that allows the 
user to conserve addresses in the 
global address pool by allowing 
source ports in TCP connections or 
UDP conversations to be translated. 
Different local addresses then map to 
the same global address, with port 
translation providing the necessary 
uniqueness. 


ITA/Jan 2003 


PCM 


pulse code 
modulation 


pulse code modulation 


Technique of encoding analog voice 
into a 64-kbit data stream by 
sampling with eight-bit resolution at a 
rate of 8000 times per second. 


ITA/Jan 2003 


PGP 


Pretty Good 
Privacy 


Public-key encryption 
application 


Public-key encryption application that 
allows secure file and message 
exchanges. There is some 
controversy over the development 
and the use of this application, in part 
due to U.S. national security 
concerns. 


ITA/Jan 2003 
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ping packet internet | Utility used to test the ICMP echo message and its reply. ITA/Jan 2003 
groper reachability of a Often used in IP networks to test the 
network device reachability of a network device. 
ping of death Attack that sends an Attack that sends an improperly large | ITA/Jan 2003 
improperly large ping ICMP [RO792] echo request packet (a 
"ping") with the intent of overflowing 
the input buffers of the destination 
machine and causing it to crash. 
ping sweep Attack that sends Attack that sends ICMP [RFC 0792] ITA/Jan 2003 
pings to a range of IP echo requests ("pings") to a range of 
addresses IP addresses with the goal of finding 
hosts that can be probed for 
vulnerabilities. 
PKCS Public-Key data structures and Series of specifications published by ITA/Jan 2003 
Cryptography algorithm usage for RSA Laboratories for data structures 
Standards asymmetric and algorithm usage for basic 
cryptography applications of asymmetric 
cryptography. 
PKI public-key set of security- System of CAs (and, optionally, RAs ITA/Jan 2003 
infrastructure management functions | and other supporting servers and 
for a community of agents) that perform some set of 
users for asymmetric certificate management, archive 
cryptography. management, key management, and 
token management functions for a 
community of users in an application 
of asymmetric cryptography. 
poison reverse Routing updates that Routing updates that explicitly ITA/Jan 2003 
updates used to defeat large indicate that a network or a subnet is 
routing loops unreachable, rather than implying that 
a network is unreachable by not 
including it in updates. Poison 
reverse updates are sent to defeat 
large routing loops. 
port Interface on an Interface on an internetworking ITA/Jan 2003 
internetworking device | device (such as a router). 
POTS plain old Traditional variety of Public switched telephone network. ITA/Jan 2003 
telephone telephone networks General term referring to the variety 
service and services in place of telephone networks and services in 
worldwide. place worldwide. 
PPP Point-to-Point Protocol that provides Successor to SLIP that provides ITA/Jan 2003 
Protocol router-to-router and router-to-router and host-to-network 
host-to-network connections over synchronous and 
connections asynchronous circuits. Whereas SLIP 
was designed to work with IP, PPP 
was designed to work with several 
network layer protocols, such as IP, 
IPX, and ARA. PPP also has built-in 
security mechanisms, such as CHAP 
and PAP. PPP relies on two 
protocols: LCP and NCP. 
PPPoA Point-to-Point The CPE is routing the | The PPP session is established BCRAN 
Protocol over packets from the PC of | between the CPE and the Mod11 


ATM 


the end user over ATM 
to an aggregation 
router. 


aggregation router. PPP over ATM 
requires no host-based software like 
PPPoE. 
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PPPoE Point-to-Point PPPoE is also a The CPE is bridging the Ethernet BCRAN 
Protocol over bridged solution similar | frames from the PC of the end user to | Mod11 
Ethernet to RFC 1483/2684 an aggregation router over ATM like 
bridging. RFC 1483/2684 bridging. But in this 
case, the Ethernet frame is carrying a 
PPP frame inside it. The PPP session 
is established between the end-user 
PC (PPPoE Client) and the 
aggregation router. 
PQ/CBWFQ priority Strict priority queueing | Feature that brings strict priority ITA/Jan 2003 
queueing added to class-based queueing to CBWFQ. Strict priority 
/class-based weighted fair queueing | queueing allows delay-sensitive data, 
weighted fair such as voice, to be dequeued and 
queueing sent first (before packets in other 
queues are dequeued), giving delay- 
sensitive data preferential treatment 
over other traffic. 
preshared key Shared secret key Shared secret key that is used during | ITA/Jan 2003 
IKE authentication. 
PRI Primary Rate ISDN interface to ISDN interface to primary rate ITA/Jan 2003 
Interface primary rate access access. Primary rate access consists 
of a single 64-kbps D channel plus 23 
(T1) or 30 (E1) B channels for voice 
or data. 
Priority Queuing defines four priorities As traffic comes into the router, it is BCRAN Mod9 
of traffic---high, assigned to one of the four output 
normal, medium, and queues. Packets on the highest- 
low on a given priority queue are transmitted first. 
interface. Packets on the next highest-priority 
queue are transmitted second, and so 
on. 
private key Secret component of a | Secret component of a pair of ITA/Jan 2003 
pair of cryptographic cryptographic keys used for 
keys asymmetric cryptography. 
privilege Authorization to Authorization or set of authorizations ITA/Jan 2003 
perform security- to perform security-relevant functions, 
relevant functions especially in the context of a 
computer operating system. 
protected Checksum 7 protected | Checksum that is computed for a ITA/Jan 2003 
checksum against active attacks data object by means that protect 
for match changes against active attacks that would 
made to the data attempt to change the checksum to 
object. make it match changes made to the 
data object. 
protocol Rules and conventions | Formal description of a set of rules ITA/Jan 2003 
that govern how and conventions that govern how 
network devices devices on a network exchange 
exchange information information. 
PSTN Public General term referring | General term referring to the variety ITA/Jan 2003 
switched to the variety of of telephone networks and services in 
telephone telephone networks place worldwide. 
network. and services in place 


worldwide. 
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PTT Post, Government agency Government agency that provides ITA/Jan 2003 
Telephone, that provides telephone services. PTTs exist in 
and Telegraph | telephone services most areas outside North America 
and provide both local and long- 
distance telephone services. 
public key Publicly disclosable Publicly disclosable component of a ITA/Jan 2003 
component of a pair of | pair of cryptographic keys used for 
cryptographic keys asymmetric cryptography. 

public-key Certificate that attests Digital certificate that binds a system ITA/Jan 2003 

certificate to the ownership of a entity's identity to a public key value, 

public key. and possibly to additional data items; 
a digitally signed data structure that 
attests to the ownership of a public 
key. 

PVC permanent Virtual circuit that is Virtual circuit that is permanently ITA/Jan 2003 
virtual circuit permanently established. PVCs save bandwidth 
(or connection) | established associated with circuit establishment 

and teardown in situations where 
certain virtual circuits must exist all 
the time. In ATM terminology, called a 
permanent virtual connection. 

PVST+ per-VLAN Dot1q trunks that map | Support for Dot1q trunks to map ITA/Jan 2003 
spanning tree multiple spanning trees | multiple spanning trees to a single 

to a single spanning spanning tree. 
tree 

QAM Quadrature A digital modulation Typical QAM types are 16-QAM (4 BCRAN 
amplitude method in which the bits per symbol), 64-QAM (6 bits per Mod11 
modulation phase and amplitude symbol), and 256-QAM (8 bits per 

of an RF carrier are symbol). 
varied to transmit data. 

QoS quality of Measure of performance for a BCRAN Mod4 
service transmission system that reflects its 

transmission quality and service 
availability. 

QPSK quadrature A digital modulation A digital modulation method in which BCRAN 
phase shift method in which the the phase of the RF carrier is varied Mod11 
keying phase of the RF carrier | to transmit data. There are 2 bits per 

is varied to transmit symbol. 
data. There are 2 bits 
per symbol. 

RA registration Optional public-key Optional PKI entity (separate from the | ITA/Jan 2003 
authority infrastructure (PKI) CAs) that does not sign either digital 

entity certificates or CRLs but has 
responsibility for recording or 
verifying some or all of the 
information (particularly the identities 
of subjects) needed by a CA to issue 
certificates and CRLs and to perform 
other certificate management 
functions. 

RADIUS Remote Database for Database for authenticating modem ITA/Jan 2003 
Authentication | authenticating and ISDN connections and for 
Dial-In User connections tracking connection time. 

Service 
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RAM random- Volatile memory that Volatile memory that can be read and | ITA/Jan 2003 
access can be read and written by a microprocessor. 
memory written by a 
microprocessor 
random early Congestion avoidance | Congestion avoidance algorithm in ITA/Jan 2003 
detection algorithm which a small percentage of packets 
are dropped when congestion is 
detected and before the queue in 
question overflows completely. 
rcp remote copy Protocol used to copy Protocol that allows users to copy ITA/Jan 2003 
protocol files to and from a files to and from a file system residing 
network file system on a remote host or server on the 
network. The rcp protocol uses TCP 
to ensure the reliable delivery of data. 
RED Random Early | Larger-scale networks RED directs one TCP session at a BCRAN Mod9 
Detection employ algorithms, time to slow down. This allows for 
such as RED, so they fuller utilization of the bandwidth and 
can proactively discard | can prevent the crests and troughs of 
packets earlier to traffic from global TCP 
prevent (or delay) tail synchronization. 
drops. 
redundant System that contains Computer, router, switch, or other ITA/Jan 2003 
system two or more of the system that contains two or more of 
most important each of the most important 
subsystems subsystems, such as two disk drives, 
two CPUs, or two power supplies. 
rekey Change the value of a Change the value of a cryptographic ITA/Jan 2003 
cryptographic key key that is being used in an 
application of a cryptographic system. 
reliability Total number of Total number of system failures, ITA/Jan 2003 
system failures regardless of whether a given failure 
results in system down time. 
remote system End system or router End system or router that is attached ITA/Jan 2003 
that is attached to a to a remote access network and that 
remote access network | is either the initiator or the recipient of 
a call. 
Request To Request To Send Request To Send ITA/Jan 2003 
Send 
RF radio Generic term referring Cable TV and broadband networks ITA/Jan 2003 
frequency to frequencies that use RF technology. 
correspond to radio 
transmissions, that is 
wireless 
communications with 
frequencies below 300 
GHz. 
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RF Carrier An electromagnetic An electromagnetic signal on which BCRAN 
signal on which another, lower-frequency signal Mod11 
another, lower- (usually base band, such as analog 
frequency signal audio, analog video or digital data) is 
(usually base band, modulated in order to transport the 
such as analog audio, lower-frequency signal to another 
analog video or digital location 
data) is modulated in 
order to transport the 
lower-frequency signal 
to another location 
RFC Request For Documents that Document series used as the primary | ITA/Jan 2003 
Comments communicate means for communicating information 
information about the about the Internet. Some RFCs are 
Internet designated by the IAB as Internet 
standards. Most RFCs document 
protocol specifications, such as 
Telnet and FTP, but some are 
humorous or historical. RFCs are 
available online from numerous 
sources. 
RIP Routing Routing protocol that IGP supplied with UNIX BSD ITA/Jan 2003 
Information uses hop count as a systems. The most common IGP in 
Protocol routing metric the Internet. RIP uses hop count as a 
routing metric. 
RJ connector registered jack | registered jack registered jack connector. Standard ITA/Jan 2003 
connector connector connectors originally used to connect 
telephone lines. RJ connectors are 
now used for telephone connections 
and for 10BaseT and other types of 
network connections. RJ-11, RJ-12, 
and RJ-45 are popular types of RJ 
connectors. 
RMON remote Defines functions for MIB agent specification described in ITA/Jan 2003 
monitoring the remote monitoring RFC 1271 that defines functions for 
of networked devices the remote monitoring of networked 
devices. The RMON specification 
provides numerous monitoring, 
problem detection, and reporting 
capabilities. 
ROM read-only Nonvolatile memory Nonvolatile memory that can be read, | ITA/Jan 2003 
memory that can be read, but but not written, by the 
not written microprocessor. 
root bridge Bridge that exchanges _ | Exchanges topology information with ITA/Jan 2003 
topology information designated bridges in a spanning-tree 
with designated implementation to notify all other 
bridges bridges in the network when topology 
changes are required. This prevents 
loops and provides a measure of 
defense against link failure. 
root certificate Certificate for which Certificate for which the subject is a ITA/Jan 2003 
the subject is a root. root. Hierarchical PKI usage: The 
self-signed public-key certificate at 
the top of a certification hierarchy. 
root key Public key with Public key for which the matching ITA/Jan 2003 


matching private key 
held by a root. 


private key is held by a root. 
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route Path through an Path through an internetwork. ITA/Jan 2003 
internetwork 
route Consolidation of Consolidation of advertised ITA/Jan 2003 
summarization advertised addresses addresses in OSPF and IS-IS. In 
in OSPF and IS-IS OSPF, this causes a single summary 
route to be advertised to other areas 
by an area border router. 
routed protocol Protocol that can be Protocol that can be routed by a ITA/Jan 2003 
routed by a router router. A router must be able to 
interpret the logical internetwork as 
specified by that routed protocol. 
Examples of routed protocols include 
AppleTalk, DECnet, and IP. 
router Network device that Network layer device that uses one or | ITA/Jan 2003 
forwards packets from | more metrics to determine the optimal 
one network to another | path along which network traffic 
should be forwarded. Routers forward 
packets from one network to another 
based on network layer information. 
Occasionally called a gateway 
(although this definition of gateway is 
becoming increasingly outdated). 
routing Process of finding a Process of finding a path to a ITA/Jan 2003 
path to a destination destination host. Routing is very 
host complex in large networks because of 
the many potential intermediate 
destinations a packet might traverse 
before reaching its destination host. 
routing domain Group of systems Group of end systems and ITA/Jan 2003 
operating under a set intermediate systems operating under 
of administrative rules the same set of administrative rules. 
Within each routing domain is one or 
more areas, each uniquely identified 
by an area address. 
routing metric Method used to Method by which a routing algorithm ITA/Jan 2003 
determine that one determines that one route is better 
route is better than than another. This information is 
another stored in routing tables. Metrics 
include bandwidth, communication 
cost, delay, hop count, load, MTU, 
path cost, and reliability. Sometimes 
referred to simply as a metric. 
routing protocol Protocol uses a Protocol that accomplishes routing ITA/Jan 2003 
specific routing through the implementation of a 
algorithm to route specific routing algorithm. Examples 
packets of routing protocols include IGRP, 
OSPF, and RIP. 
routing table Table stored ina Table stored in a router or some other | ITA/Jan 2003 


router that tracks 
routes and metrics 


internetworking device that keeps 
track of routes to particular network 
destinations and, in some cases, 
metrics associated with those routes. 
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routing update Message sent from a Message sent from a router to ITA/Jan 2003 
router to indicate indicate network reachability and 
network reachability associated cost information. Routing 
and cost updates typically are sent at regular 
intervals and after a change in 
network topology. 
RS-232 Popular physical layer Popular physical layer interface. Now | ITA/Jan 2003 
interface known as EIA/TIA-232. See also 
EIA/TIA-232. 
RSA Rivest, Shamir, | Public-key Acronym stands for Rivest, Shamir, ITA/Jan 2003 
and Adleman cryptographic system and Adleman, the inventors of the 
technique. Public-key cryptographic 
system that can be used for 
encryption and authentication. 
RSVP Resource Protocol that supports the reservation 
Reservation of resources across an IP network. 
Protocol Applications running on IP end 
systems can use RSVP to indicate to 
other nodes the nature (bandwidth, 
jitter, maximum burst, and so on) of 
the packet streams that they want to 
receive. RSVP depends on IPvé6. Also 
known as Resource Reservation 
Setup Protocol. See also IPv6. 
RTP Real-Time Used to carry Used to carry multimedia application BCRAN Mod9 
Transport multimedia application | traffic, including packetized audio and 
Protocol traffic, including video, over an IP network. 
packetized audio and 
video, over an IP 
network. 
RTS Request To EIA/TIA-232 control EIA/TIA-232 control signal that ITA/Jan 2003 
Send signal requests a data transmission ona 
communications line. 
SA security Instance of security Instance of security policy and keying | ITA/Jan 2003 
association policy and keying material applied to a data flow. See 
material also Security Association. 
Satellite Use of orbiting Satellite communications offer high ITA/Jan 2003 
Communication satellites to relay data bandwidth and a cost that is not 
between multiple related to distance between earth 
earth-based stations. stations, long propagation delays, or 
broadcast capability. 
SDSL single-line One of four DSL One of four DSL technologies. SDSL_ | ITA/Jan 2003 
digital technologies. SDSL delivers 1.544 Mbps both 
subscriber line | delivers 1.544 Mbps downstream and upstream over a 
single copper twisted pair. The use of 
a single twisted pair limits the 
operating range of SDSL to 10,000 
feet (3048.8 meters). Compare with 
ADSL, HDSL, and VDSL. 
SECAM Sequential TV system used in Utilizes an 8 MHz wide modulated BCRAN 
Couleur avec France and some signal. Mod11 
Memoire. former Soviet bloc 


countries 
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Secure Shell Protocol that provides Protocol that provides a secure ITA/Jan 2003 
Protocol a secure remote remote connection to a router through 
connection to a router a Transmission Control Protocol 
(TCP) application. 
security An instance of security | An instance of security policy and ITA/Jan 2003 
association policy and keying keying material applied to a data flow. 
material applied to a Both IKE and IPSec use SAs, 
data flow. although SAs are independent of one 
another. IPSec SAs are unidirectional 
and are unique in each security 
protocol. An IKE SA is used by IKE 
only, and unlike the IPSec SA, it is 
bidirectional. IKE negotiates and 
establishes SAs on behalf of IPSec. A 
user also can establish IPSec SAs 
manually. A set of SAs are needed 
for a protected data pipe, one per 
direction per protocol. For example, if 
you have a pipe that supports ESP 
between peers, one ESP SA is 
required for each direction. SAs are 
identified uniquely by destination 
(IPSec endpoint) address, security 
protocol (AH or ESP), and security 
parameter index (SPI). 
security A number that, This is a number that, together witha | ITA/Jan 2003 
parameter index together with a destination IP address and a security 
destination IP address__| protocol, uniquely identifies a 
and a security particular security association. When 
protocol, uniquely using IKE to establish the security 
identifies a particular associations, the SPI for each 
security association. security association is a pseudo- 
randomly derived number. Without 
IKE, the SPI is specified manually for 
each security association. 
segment Section of a network Section of a network that is bounded ITA/Jan 2003 
that is bounded by by bridges, routers, or switches. 
network devices 
serial Data transmission Method of data transmission in which | ITA/Jan 2003 
transmission where bits are the bits of a data character are 
transmitted transmitted sequentially over a single 
sequentially channel. 
SF Super Frame Common framing type | Common framing type used on T1 ITA/Jan 2003 
used on 11 circuits. circuits. SF consists of 12 frames of 
192 bits each, with the 193rd bit 
providing error checking and other 
functions. SF is superseded by ESF 
but is still widely used. Also called D4 
framing. See also ESP. 
SHA-1 Secure Hash Algorithm that takes a Algorithm that takes a message of ITA/Jan 2003 


Algorithm 1 


message of less than 
264 bits in length and 
produces a 160-bit 
message digest 


less than 264 bits in length and 
produces a 160-bit message digest. 
The large message digest provides 
security against brute-force collision 
and inversion attacks. SHA-1 
[NIS94c] is a revision to SHA that 
was published in 1994. 
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SLIP Serial Line Protocol for point-to- Standard protocol for point-to-point ITA/Jan 2003 
Internet point serial serial connections using a variation of 
Protocol connections that is the | TCP/IP. Predecessor of PPP. See 
predecessor of PPP also CSI and PPP. 
SMTP Simple Mail Internet protocol Internet protocol providing e-mail ITA/Jan 2003 
Transfer providing e-mail services. 
Protocol services. 

SN Signal noise Similar to C/N but Similar to C/N but relates to a base BCRAN 
relates to abase band | band signal. Mod11 
signal. 

SNA Systems Large, complex, Similar in some respects to the OSI ITA/Jan 2003 

Network feature-rich network reference model but with a number of 
Architecture architecture developed | differences. SNA essentially is 
in the 1970s by IBM composed of seven layers 
SNMP Simple Network management Network management protocol used ITA/Jan 2003 
Network protocol used in almost exclusively in TCP/IP 
Management TCP/IP networks networks. SNMP provides a means to 
Protocol monitor and control network devices, 
and to manage configurations, 
statistics collection, performance, and 
security. 
SOHO small office, Network for small Networking solutions and access ITA/Jan 2003 
home office office, home office technologies for offices that are not 
directly connected to large corporate 
networks. 

source address Address of a network Address of a network device that is ITA/Jan 2003 
device that is sending sending data. 
data 

spanning tree Loop-free subset of a Loop-free subset of a network ITA/Jan 2003 
network topology topology. 

spanning-tree Algorithm used to Algorithm used by the Spanning-Tree | ITA/Jan 2003 

algorithm create a spanning tree | Protocol to create a spanning tree. 

Spectrum CATVs most Historically, the over-the-air spectrum | BCRAN 

Reuse fundamental concept is | has been assigned to many uses: Mod11 
spectrum reuse. two-way radio, broadcasting, cellular 

phones, and pagers. Much of the 
spectrum is therefore not available for 
the carriage of just TV. The result is 
an inadequate supply of spectrum to 
serve viewers’ needs. Cable 
operators can reuse spectrum that is 
“sealed” in their networks’ coaxial 
cables. 
SPF shortest path Routing algorithm that Routing algorithm that iterates on ITA/Jan 2003 


first algorithm 


determines a shortest- 
path spanning tree 


length of path to determine a 
shortest-path spanning tree. 
Commonly used in link-state routing 
algorithms. Sometimes called 
Dijkstra's algorithm. 


Copyright © 2004, Cisco Systems, Inc. 


Course Glossary 


49 


Acronym or Expansion of | Short Definition for Definition of Acronym or Term Source for 
Term Acronym Mouseover Definition 
SPI security A number that, This is a number that, together witha | ITA/Jan 2003 
parameter together with a destination IP address and security 
index destination IP address _| protocol, uniquely identifies a 
and security protocol, particular security association. When 
uniquely identifies a using IKE to establish the security 
particular security associations, the SPI for each 
association. security association is a pseudo- 
randomly derived number. Without 
IKE, the SPI is manually specified for 
each security association. 
split-horizon Routing technique that | Routing technique in which ITA/Jan 2003 
updates prevents routing loops | information about routes is prevented 
from exiting the router interface 
through which that information was 
received. Split-horizon updates are 
useful in preventing routing loops. 
spoofing Scheme used by 1. Scheme used by routers to cause ITA/Jan 2003 
routers to cause a host | a host to treat an interface as if it 
to treat an interface as | were up and supporting a session. 
if it were up and The router spoofs replies to keepalive 
supporting a session messages from the host in order to 
convince that host that the session 
still exists. Spoofing is useful in 
routing environments, such as DDR, 
in which a circuit-switched link is 
taken down when there is no traffic to 
be sent across it in order to save toll 
charges. See also DDR. 
2. The act of a packet illegally 
claiming to be from an address from 
which it was not actually sent. 
Spoofing is designed to foil network 
security mechanisms, such as filters 
and access lists. 
SSH Secure Shell A secure application A secure application used for logging | BCRAN Mod9 
used for logging into a | into a remote device, executing 
remote device, commands on a remote device, and 
executing commands moving files from remote device to 
on a remote device, remote device 
and moving files from 
remote device to 
remote device 
SSL Secure Socket | Encryption technology | Encryption technology for the Web ITA/Jan 2003 
Layer for the Web used to provide secure transactions, 
such as the transmission of credit 
card numbers for e-commerce. 
static route Route that is explicitly Route that is explicitly configured and | ITA/Jan 2003 
configured in the entered into the routing table. Static 
routing table routes take precedence over routes 
chosen by dynamic routing protocols. 
STDM Statistical time | Technique whereby multiplexing dynamically allocates ITA/Jan 2003 


division 
multiplexing 


information from 
multiple logical 
channels can be 
transmitted across a 
single physical 
channel. 


bandwidth only to active input 
channels, making better use of 
available bandwidth and allowing 
more devices to be connected than 
with other multiplexing techniques. 
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STP Spanning-Tree | Protocol that enables a | Bridge protocol that uses the ITA/Jan 2003 
Protocol learning bridge to work | spanning-tree algorithm, enabling a 
around loops learning bridge to dynamically work 

around loops in a network topology 

by creating a spanning tree. Bridges 

exchange BPDU messages with 

other bridges to detect loops, and 

then remove the loops by shutting 

down selected bridge interfaces. 

Refers to both the IEEE 802.1 

Spanning-Tree Protocol standard and 

the earlier Digital Equipment 

Corporation Spanning-Tree Protocol 

upon which it is based. The IEEE 

version supports bridge domains and 

allows the bridge to construct a loop- 

free topology across an extended 

LAN. The IEEE version generally is 

preferred over the Digital version. 

stub network Network that has a Network that has only a single ITA/Jan 2003 
single connection to a connection to a router. 
router 

subinterface Virtual interface on a One of a number of virtual interfaces ITA/Jan 2003 
single physical on a single physical interface. 
interface 

subnet address Portion of an IP Portion of an IP address that is ITA/Jan 2003 
address specified as specified as the subnetwork by the 
the subnetwork subnet mask. 

subnet mask 32-bit address mask 32-bit address mask used in IP to ITA/Jan 2003 
used to indicate the of | indicate the bits of an IP address that 
IP address bits used are being used for the subnet 
for the subnet address | address. Sometimes referred to 

simply as mask. 

subnetwork Network sharing a In IP networks, a network sharing a ITA/Jan 2003 
particular subnet particular subnet address. 
address Subnetworks are networks arbitrarily 

segmented by a network 
administrator in order to provide a 
multilevel, hierarchical routing 
structure while shielding the 
subnetwork from the addressing 
complexity of attached networks. 

Subscriber drop Connection between Includes coax, typically 59-series or BCRAN 
feeder portion of 6-series coaxial cable; hardware; Mod11 
distribution network passive devices; set-top box (STB). 
and subscriber 
terminal (TV set, VCR, 
and so forth). 

superencryption Encryption operation Encryption operation for which the ITA/Jan 2003 
on output from a plaintext input to be transformed is 
previous encryption the ciphertext output of a previous 

encryption operation. 
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SVC switched Virtual circuit Virtual circuit that is dynamically ITA/Jan 2003 
virtual circuit dynamically established on demand and is torn 
established on down when transmission is complete. 
demand SVCs are used in situations where 
data transmission is sporadic. See 
also virtual circuit. Called a switched 
virtual connection in ATM 
terminology. 
switch Network device that Network device that filters, forwards, ITA/Jan 2003 


filters, forwards, and 
floods frames to a 
destination address 


and floods frames based on the 
destination address of each frame. 
The switch operates at the data-link 
layer of the OSI model. 


switched LAN 


LAN implemented with 
LAN switches 


LAN implemented with LAN switches. 


ITA/Jan 2003 


switching Process of delivering Process of taking an incoming frame ITA/Jan 2003 
an incoming frame from one interface and delivering it 
from one interface through another interface. Routers 
through another use Layer 3 switching to route a 
packet, and Layer 2 switches use 
Layer 2 switching to forward frames. 
symmetric key Key used ina Cryptographic key that is used ina ITA/Jan 2003 
symmetric symmetric cryptographic algorithm. 
cryptographic 
algorithm 
synchronous Digital signals that are | Term describing digital signals that ITA/Jan 2003 
transmission transmitted with are transmitted with precise clocking. 
precise clocking Such signals have the same 
frequency, with individual characters 
encapsulated in control bits (called 
start bits and stop bits) that designate 
the beginning and the end of each 
character. 
T1 Digital WAN carrier Digital WAN carrier facility. T1 ITA/Jan 2003 
facility operating at transmits DS-1-formatted data at 
1.544 Mbps 1.544 Mbps through the telephone- 
switching network, using AMI or 
B8ZS coding. 
T3 Digital WAN carrier Digital WAN carrier facility. T3 ITA/Jan 2003 
facility operating at transmits DS-3-formatted data at 
44.736 Mbps 44.736 Mbps through the telephone 
switching network. 
TACACS Terminal Authentication Authentication protocol, developed by | ITA/Jan 2003 
Access protocol, developed by | the DDN community that provides 
Controller the DDN community remote access authentication and 
Access Control related services, such as event 
System logging. User passwords are 
administered in a central database 
rather than in individual routers, 
providing an easily scalable network 
security solution. See also TACACS+ 
in the "Cisco Systems Terms and 
Acronyms" section 
T-carrier TDM transmission TDM transmission method usually ITA/Jan 2003 


method 


referring to a line or a cable carrying 
a DS-1 signal. 
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TCP/IP Transmission Suite of protocols that Common name for the suite of ITA/Jan 2003 
Control support the protocols developed by the U.S. DoD 
Protocol/Intern | construction of in the 1970s to support the 
et Protocol worldwide construction of worldwide 
internetworks internetworks. TCP and IP are the 
two best-known protocols in the suite. 
TDM time-division Technique in which Technique in which information from ITA/Jan 2003 
multiplexing information from multiple channels can be allocated 
multiple channels can bandwidth on a single wire based on 
be allocated bandwidth | pre-assigned time slots. Bandwidth is 
ona single wire based _ | allocated to each channel regardless 
on pre-assigned time of whether the station has data to 
slots. transmit. Compare with ATDM, FDM, 
and statistical multiplexing. 
TE terminal Any ISDN-compatible Any ISDN-compatible device that can | ITA/Jan 2003 
equipment device that can be be attached to the network, such as a 
attached to the telephone, a fax, or a computer. 
network 
TEI terminal Address that identifies | Field in the LAPD address that ITA/Jan 2003 
endpoint a device on an ISDN identifies a device on an ISDN 
identifier interface interface. See also TE. 
Telnet Standard TCP/IP Standard terminal emulation protocol | ITA/Jan 2003 
terminal emulation in the TCP/IP protocol stack. Telnet is 
protocol used for remote terminal connection, 
enabling users to log in to remote 
systems and use resources as if they 
were connected to a local system. 
Telnet is defined in RFC 854. 
terminal Simple device at which | Simple device at which data can be ITA/Jan 2003 
data is entered or entered or retrieved from a network. 
retrieved from a Generally, terminals have a monitor 
network and a keyboard, but no processor or 
local disk drive. 
terminal adapter Device used to Device used to connect ISDN BRI ITA/Jan 2003 
connect ISDN BRI connections to existing interfaces, 
connections to existing | such as EIA/TIA-232. Essentially, an 
interfaces ISDN modem. 
terminal Network application Network application in which a ITA/Jan 2003 
emulation that makes a terminal computer runs software that makes it 
appear to a remote appear to a remote host as a directly 
host as directly attached terminal. 
attached 
terminal server Communications Communications processor that ITA/Jan 2003 
processor that connects asynchronous devices, 
connects such as terminals, printers, hosts, 
asynchronous devices | and modems, to any LAN or WAN 
to a network that uses TCP/IP, X.25, or LAT 
protocols. Terminal servers provide 
the internetwork intelligence that is 
not available in the connected 
devices. 
TFTP Trivial File Simple file transfer Simplified version of FTP that allows ITA/Jan 2003 
Transfer protocol without use of | files to be transferred from one 
Protocol authentication computer to another over a network, 


usually without the use of client 
authentication (for example, 
username and password). 
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Acronym or Expansion of | Short Definition for Definition of Acronym or Term Source for 
Term Acronym Mouseover Definition 
throughput Rate of information Rate of information arriving at, and ITA/Jan 2003 
arriving at a particular possibly passing through, a particular 
point in a network point in a network system. 
TIA Telecommunic | Telecommunications Telecommunications Industry ITA/Jan 2003 
ations Industry | Industry Alliance Alliance. Organization that develops 
Alliance standards organization | standards relating to 
telecommunications technologies. 
Together, the TIA and the EIA have 
formalized standards, such as 
EIA/TIA-232, for the electrical 
characteristics of data transmission. 
See also EIA. 
token storage Cryptography key Cryptography key used to protect ITA/Jan 2003 
key data that is stored on a security 
token. 
topology Physical arrangement Physical arrangement of network ITA/Jan 2003 
of network nodes and nodes and media within an enterprise 
media networking structure. 
traceroute Program that traces Program available on many systems ITA/Jan 2003 
the path a packet that traces the path a packet takes to 
takes to a destination a destination. It is used mostly to 
debug routing problems between 
hosts. A traceroute protocol is also 
defined in RFC 1393. 
traffic shaping Use of queues to limit Use of queues to limit surges that can | ITA/Jan 2003 
(shape) surges that congest a network. Data is buffered 
can congest a network | and then sent into the network in 
regulated amounts to ensure that the 
traffic fits within the promised traffic 
envelope for the particular 
connection. Traffic shaping is used in 
ATM, Frame Relay, and other types 
of networks. Also known as metering, 
shaping, and smoothing. 
transform The list of operations The list of operations done on a ITA/Jan 2003 
done on a dataflow to dataflow to provide data 
provide data authentication, data confidentiality, 
authentication, data and data compression. For example, 
confidentiality, and one transform is the ESP protocol 
data compression. with the HMAC-MD5 authentication 
algorithm; another transform is the 
AH protocol with the 56-bit DES 
encryption algorithm and the ESP 
protocol with the HMAC-SHA 
authentication algorithm. 
trunk Physical and logical Physical and logical connection ITA/Jan 2003 
connection between between two switches across which 
two switches network traffic travels. A backbone is 
composed of a number of trunks. 
trust-file PKI Trust-file Non-hierarchical Non-hierarchical PKI in which each ITA/Jan 2003 
public-key public-key certificate user has a local file (which 
infrastructure infrastructure used for is used by application software) of 


security checking 


public-key certificates that the user 
trusts as starting points (that is, roots) 
for certification paths. 
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Acronym or Expansion of | Short Definition for Definition of Acronym or Term Source for 
Term Acronym Mouseover Definition 
tunnel Secure communication | Secure communication path between | ITA/Jan 2003 
path between two two peers, such as two routers. 
peers 

tunneling Architecture that Architecture that is designed to ITA/Jan 2003 
provides services used | provide the services necessary to 
to implement point-to- implement any standard point-to-point 
point encapsulation encapsulation scheme. 

U interface User-interface | The DSL interface The interface between the telco and ITA/Jan 2003 
between the telco and the user, also known as the local 
the user digital subscriber line (DSL) loop. 

uBR Universal Cisco Broadband The uBR7246 and uBR7223 are ITA/Jan 2003 

Broadband Cable Device-- DOCSIS-compliant cable modem 
Router Universal Broadband termination systems (CMTSs). The 
Router uBR900, UBR904, and UBR924 are 
DOCSIS-certified cable modems. 
UDP User Datagram | Connectionless UDP is a simple protocol that ITA/Jan 2003 
Protocol transport layer protocol | exchanges datagrams without 
in the TCP/IP protocol acknowledgments or guaranteed 
stack. delivery, requiring that error 
processing and retransmission be 
handled by other protocols. 
U-NII Unlicensed Term coined by federal regulators to ITA/Jan 2003 
National describe the access of information for 
Information citizens and business. Equivalent to 
Infrastructure the term "information superhighway," 
it does not describe system 
architecture or topology. 

US Upstream RF signal flow from the | RF signal flow from the subscribers to | BCRAN 
subscribers to the the headend. Also called the return or | Mod11 
headend. Also called reverse path. 
the return or reverse 
path. 

V.35 V.35 ITU-T standard ITU-T standard describing a ITA/Jan 2003 
describing a synchronous, physical layer protocol 
synchronous, physical used for communications between a 
layer protocol network access device and a packet 

network. V.35 is most commonly 
used in the United States and in 
Europe, and is recommended for 
speeds up to 48 kbps. 
VDSL very-high-data- | One of four DSL The operating range of VDSL is ITA/Jan 2003 
rate digital technologies. VDSL limited to 1,000 to 4,500 feet (304.8 
subscriber line | delivers 13 to52 Mbps | to 1,372 meters). 
downstream and 1.5 to 
2.3 Mbps upstream 
over a single twisted 
copper pair. 
virtual circuit Logical circuit that Logical circuit created to ensure ITA/Jan 2003 


ensures reliable 
communication 
between two network 
devices 


reliable communication between two 
network devices. A virtual circuit is 
defined by a VPI/VCI pair, and can be 
either permanent (PVC) or switched 
(SVC). Virtual circuits are used in 
Frame Relay and X.25. In ATM, a 
virtual circuit is called a virtual 
channel. Sometimes abbreviated VC. 
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Acronym or Expansion of | Short Definition for Definition of Acronym or Term Source for 
Term Acronym Mouseover Definition 
VLAN virtual LAN Group of devices on Group of devices on one or more ITA/Jan 2003 
separate LANs that LANs that are configured (using 
communicate as if they | management software) so that they 
were attached to the can communicate as if they were 
same wire attached to the same wire, when in 
fact they are located on a number of 
different LAN segments. Because 
VLANs are based on logical instead 
of physical connections, they are 
extremely flexible. 
VLSM variable length | Capability to specify a Capability to specify a different ITA/Jan 2003 
subnet mask different subnet mask subnet mask for the same network 
for the same network number on different subnets. VLSM 
number on different can help optimize available address 
subnets space. 
VoIP Voice over IP The capability to carry normal ITA/Jan 2003 
telephony-style voice over an IP- 
based internet with POTS-like 
functionality, reliability, and voice 
quality. VoIP enables a router to carry 
voice traffic (for example, telephone 
calls and faxes) over an IP network. 
In VoIP, the DSP segments the voice 
signal into frames, which are then 
stored in groups of two within voice 
packets. These voice packets are 
transported using IP in compliance 
with ITU-T specification H.323. 
VPDN Virtual private Cisco standard that Cisco standard that enables a private | BCRAN 
dial-up network | enables a private network dial-in service to span across | Mod11 
network dial-in service | to remote access servers. 
to span across to 
remote access 
servers. 
VPN Virtual Private Tunneling that enables | Enables IP traffic to travel securely ITA/Jan 2003 
Network IP traffic to travel over a public TCP/IP network by 
securely over a public encrypting all traffic from one network 
TCP/IP network by to another. A VPN uses "tunneling" to 
encrypting all traffic encrypt all information at the IP level. 
from one network to 
another 
vty virtual type Virtual type terminal Virtual type terminal commonly used ITA/Jan 2003 
terminal commonly used as as virtual terminal lines. 
virtual terminal lines 
WAN wide-area Data network that Data communications network that ITA/Jan 2003 
network serves users across a serves users across a broad 


broad geographic area 


geographic area and often uses 
transmission devices provided by 
common carriers. Frame Relay, 
SMDS, and X.25 are examples of 
WANs. 
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Acronym or Expansion of | Short Definition for Definition of Acronym or Term Source for 
Term Acronym Mouseover Definition 
WFQ weighted fair 1. WFQ provides traffic | 1. Weighted fair queuing can prioritize | BCRAN Mod9 
queuing priority management traffic based on flows (flow-based and ITA/Jan 
that dynamically sorts weighted fair queuing) or user- 2003 
traffic into defined classes (class-based 
conversations, or weighted fair queuing). 
flows, based on Layer 
3 or 4 information. 2. Congestion management algorithm 
that identifies conversations (in the 
2. Congestion form of traffic streams), separates 
management algorithm | packets that belong to each 
conversation, and ensures that 
capacity is shared fairly between 
these individual conversations. WFQ 
is an automatic way of stabilizing 
network behavior during congestion 
and results in increased performance 
and reduced retransmission. 

WIC WAN interface | Card that connects a Connects the system to the WAN link | ITA/Jan 2003 
card device to the WAN link | service provider. 

service provider 

wideband See broadband. See broadband. ITA/Jan 2003 

wildcard mask Value that determines | A 32-bit quantity used in conjunction ITA/Jan 2003 

which bits in an IP with an IP address to determine 

address to ignore with which bits in an IP address should be 

access lists ignored when comparing that address 
with another IP address. A wildcard 
mask is specified when setting up 
access lists. 

WRED weighted Queueing method Queueing method that ensures that ITA/Jan 2003 
random early high-precedence traffic has lower loss | and BCRAN 
detection Extends RED functions | rates than other traffic during times of | Mod9 

by permitting more congestion. 

granular RED drop 

profiles for different WRED combines RED with IP 

types of traffic Precedence values or with 
Differentiated Services Code Point 
(DSCP) values. 

xDSL X Digital Group term used to Group term used to refer to ADSL, ITA/Jan 2003 
Subscriber refer to ADSL, HDSL, HDSL, SDSL, and VDSL. All are 
Link SDSL, and VDSL. emerging digital technologies using 


the existing copper infrastructure 
provided by the telephone 
companies. xDSL is a high-speed 
alternative to ISDN. 


Copyright © 2004, Cisco Systems, Inc. 


Course Glossary 


57 


58 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright © 2004, Cisco Systems, Inc. 


BCRAN | 


Building Cisco 
Remote Access 
Networks 


Version 2.1 


Lab Guide 


Copyright © 2004, Cisco Systems, Inc. All rights reserved. 


Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax 


numbers are listed on the Cisco Web site at www.cisco.com/go/offices. — 


Argentina « Australia * Austria * Belgium * Brazil * Bulgaria * Canada * Chile * China PRC * Colombia * Costa Rica 
Croatia * Czech Republic * Denmark * Dubai, UAE » Finland * France * Germany * Greece * Hong Kong SAR * 
Hungary ¢ India « Indonesia * Ireland ¢ Israel * Italy * Japan * Korea * Luxembourg * Malaysia * Mexico * The 
Netherlands * New Zealand * Norway ° Peru * Philippines * Poland « Portugal * Puerto Rico * Romania * Russia ¢ 
Saudi Arabia * Scotland * Singapore * Slovakia * Slovenia * South Africa * Spain * Sweden * Switzerland * Taiwan 
Thailand « Turkey * Ukraine * United Kingdom * United States * Venezuela * Vietnam * Zimbabwe 


we Copyright 4 2004 Cisco Systems, Inc. All rights reserved. CCIP, CCSP, the Cisco Powered Network mark, 
LF) Cisco Unity, Follow Me Browsing, FormShare, and Stack Wise are trademarks of Cisco Systems, Inc.; 
Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and 
Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork 
Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems 
logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, 
Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, 
the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, 
RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The 
Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, 
Inc. and/or its affiliates in the United States and certain other countries. 


All other trademarks mentioned in this document or Website are the property of their respective owners. The use of 
the word partner does not imply a partnership relationship between Cisco and any other company. (0401R) 


BCRAN | 


Lab Guide 


Overview 


Use the exercises here to complete the lab exercises for this course. The solutions information 
is found in the Lab Exercise Answer Key. 


Outline 
This Lab Guide includes these exercises: 
m Lab Exercise 1-1: Using the BCRAN Lab Equipment 
m Lab Exercise 2-1: Configuring Asynchronous Connections with Modems 
= Lab Exercise 3-1: Configuring and Verifying PPP Operations 


m Lab Exercise 4-1: E-Lab: Simulation for Configuring a Cisco 827 Router for NAT with 
PPPoA 


m= Lab Exercise 5-1: Configuring a Site-to-Site IPSec VPN Using Preshared Keys 
m Lab Exercise 6-1: Using ISDN and DDR to Enhance Remote Connectivity 
m= Lab Exercise 7-1: Using Dialer Profiles to Enhance DDR 


m Lab Exercise 8-1: Establishing a Dedicated Frame Relay Connection and Controlling 
Traffic Flow 


m= Lab Exercise 9-1: Enabling a Backup to a Primary Connection 

m Lab Exercise 10-1: Managing Network Performance Using CBWFQ and LLQ 
m= Lab Exercise 11-1: Using AAA to Scale Access Control 

m Super Lab 


Lab Exercise 1-1: Using the BCRAN Lab 
Equipment 


Complete this lab exercise to practice what you learned in the related module. 


Exercise Objectives 
In this exercise you will complete the following tasks: 
m= Establish a telnet session onto the BCRAN remote equipment pods 
m= Establish and terminate console connections to the remote routers 


™ Configure the central, branch, and SOHO routers with the preconfiguration lab files from 
the TFTP server 


Visual Objective 


The figure illustrates what you will accomplish in this exercise. 
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Command List 


The commands used in this exercise are described in the table here. 


Helpful Commands 


Command 


clsx 


Description 


Clears an existing console connection where X is the connection 
number (1 = central, 2 = branch, 3 = SOHO) 


Ctrl-Shift-6 and 
then x 


Pressing this key combination suspends a console session and returns 
you to the terminal server menu 


copy tftp startup- 


Copies a configuration from the TFTP server to the startup 


config configuration 
exit Exits the terminal server and terminates all console sessions 
Note The clsX command is not a Cisco |OS command but is an alias to the Cisco IOS clear line 
command that has been configured at the terminal server for ease of use in this course. 
Scenario 


You will familiarize yourself with the usage of the BCRAN remote lab equipment and 
configure your routers to accept the lab preconfiguration files. 


Setup 


Gather the information shown in these tables prior to starting this lab. 


Remote Equipment Information Required | Example Write in your 

Comm Server remote comm 
server information 

BCRAN terminal server | IP address 10.1.1.254 

BCRAN terminal server | Username BCRAN 

BCRAN terminal server | Password Cisco 
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Pod Number Information Required | Example Write in the 

(Assigned by your (X is your pod number; information for 

instructor) all subnet masks are your pod 
255.255.255.0; 

Central router LAN interface IP 10.X.0.1 

Central router LAN interface type Ethernet0/0 

Central router Preconfiguration file pXcL 

Branch router LAN interface IP 10.X.10.2 

Branch router LAN interface type FastEthernetO 

Branch router Preconfiguration file pXbL 

SOHO router LAN interface IP 10.X.100.3 

SOHO router LAN interface type FastEthernetO 

SOHO router Preconfiguration file pXsL 

TFTP server for central | IP address 10.X.0.200 

TFTP server for branch | IP address 10.X.10.200 

TFTP server for SOHO | IP address 10.X.100.200 


Verify that your workstation has Internet connectivity. 


Verify that you have established a Telnet session on the BCRAN communication server from 
your workstation. 


Note Different pods could be equipped with different models and modules. For example, some 
pods may have a Cisco 3640 router, while other pods may consist of a Cisco 2600 Series 
router. Some pods will be using Ethernet interfaces, while other pods may use FastEthernet 
interfaces. Ask your instructor for further information about the differences within your 


equipment pods. 
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Task 1: Run Telnet to Connect to BCRAN Remote Lab 


To begin the lab exercises, you will use the Telnet utility to establish a connection to the remote 
lab equipment for this course. 


Exercise Procedure 


Complete these steps: 
Step 1 From the Microsoft Windows Start Menu, choose Run. The Run window displays. 


Step 2 In the Open field, enter the telnet command followed by the IP address for your 
terminal server, provided by your instructor. For example, if the terminal server 
address your instructor provided is 10.1.1.254, you would enter the following: 


telnet 10.1.1.254 


If your Telnet session connects successfully to the terminal server, you should see 
the following authentication: 


User Access Verification 


Username: 


Step 3 Enter the username student and the password given to you by your instructor. 


Step 4 On successful login, you should see a menu similar to the following: 


KEK KK KEE ERK REE BCRAN-v2 Main Menu RRR RRR RR RIK 


Welcome authorized users to the 


Cisco Systems Internet Learning Solutions Group BCRAN-v2 
Lab. 


Unauthorized access to or use of this lab is prohibited. 


Type "exit" at any time while in the menu to disconnect. 


RRR KEKEEKRERE ERE EK EERE EKER ERE KERR EKER ERK EKER ERE KEKE EKERKERKKEKREKRE 
KK 


Connect to podl 
Connect to pod2 
Connect to pod3 
Connect to pod4 
Connect to pod5 
Connect to pod6é 
Connect to pod7 
Connect to pods 


wo oT Hn UV FF W DYN FR 


Exit 
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Please select menu item: 


Step 5 The term “pod” refers to the group of routers that you will be using to complete your 
lab exercises for this course. At the Please Select Menu Item prompt, enter the pod 
number assigned to you by your instructor and press Return. Your output should 
look similar to the following: 


RRR RRR RRR RR RR RRR RR ER RE BCRAN-V2 POd9 (FRE 


To exit telnet session and return to the menu press 
"CTRL+SHIFT+6" then "x". If need be you can clear 
connections by typing cls# 
(where # = the menu item#, ie, cls2) 


Type "exit" at any time while in the menu to disconnect. 


KRREKKEKEEKREREKRE KEKE EKER KEE EKER EERE REE ERE RE KER EKER REE KEKEKREKKEKEKEEEK 


ITEM# DEVICE NAME 
1 Connect to central 9 
2 Connect to branch 9 
3 Connect to soho 9 
4 Return to main menu 


Please enter selection: 


Step 6 The menu shown in Step 5 is the router selection menu. Your pod number is on the 
top line, and the display lists the routers in your pod. This example is for pod 9. 


Step 7 From the router selection menu, you can connect to your access router. After you 
have connected to a network device from the terminal server, enter the escape 
sequence, pressing Ctrl-Shift-6, then x, to return to the router selection menu. 
Although this action will bring you back to the router selection menu, your console 
connection to the access router will still be open and active in the background. You 
will be able to open additional console connections to other routers. (A terminal 
server console connection is similar to a standard telephone call in that there can be 
only one console connection to a router at a time. A second console connection to 
the same router would be busy. If a console connection is already open and active, 
then that connection will need to be cleared.) 


Step 8 Enter 3 in the router selection menu to connect to your small-office, home-office 
(SOHO) router. You should see the following (or something similar) in your Telnet 
session: 


Please enter selection:3 


Trying hl (10.10.10.10, 2033)... Open 
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Step 9 


Step 10 


Step 11 


Step 12 


Step 13 


Step 14 


Step 15 


Step 16 


Step 17 


Press Return to access the device prompt. 


To return to the router selection menu, press Ctrl-Shift-6, then x. The router 
selection menu displays. 


Enter 3 to reconnect to your SOHO router and regain access to your previous 
console connection. 


Return to the router selection menu by pressing CtrI-Shift-6, then x. 


Sometimes a connection to a device was not cleared after the previous Telnet user 
left. To access a device that appears to be in use, use the cls¥ command, where_X is 
the number of the device you want to connect to. To clear the console connection to 
the SOHO router, enter cls3. You will be prompted to confirm this action: 


Please enter selection:cls3 
[confirm] 


When you want to log out of the terminal, return to any menu and enter exit at the 
Please Enter Selection prompt: 


Please enter selection:exit 
(You have open connections) [confirm] 


If there are active console connections at that time, you need to confirm by either 
entering y or pressing Return to close those connections. 


Depending on which operating system is running on your PC, you may need to press 
Return after terminating your Telnet session. 


Proceed to Task 2. 


Task 2: Preparing the Central Router for the Lab 
Preconfiguration 


This task prepares the central router for the lab preconfiguration. 


Exercise Procedure 


Complete these steps: 


Step 1 


Step 2 


Step 3 


Connect to the console of the central router in your pod. 


Configure the LAN interface of the central router with the IP address and subnet 
mask shown in the setup tables. Enable the interface with the no shutdown 
command. 


Using the copy tftp startup-config command, load the preconfiguration file for 
your pod on the central router. The filename is formatted as pXcL, where p 
represents the pod, X represents your pod number, c represents the central router, 
and L represents the lab number. If, for example, you are on pod 9 and you are 
preparing for lab 1, copy the file p9c1. Use the TFTP address that is listed in the 
setup table. 
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Step 4 


Step 5 


Step 6 


After the central router has copied the preconfiguration file, execute a show startup- 
config command to display the router configuration that will be used on a reload of 
the central router. 


Reload the central router and observe the output. 


Proceed to Task 3. 


Task 3: Preparing the Branch Router for the Lab 
Preconfiguration 


This task prepares the branch router for the lab preconfiguration. 


Exercise Procedure 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Connect to the console of the branch router for your pod. 


Configure the LAN interface of the branch router with the IP address and subnet 
mask that is listed in the setup tables. Do not forget to enable the interface with the 
no shutdown command. 


Using the copy tftp startup-config command, load the startup configuration file on 
the branch router. The filename is formatted as pXbL, where p represents the pod, X 
represents your pod number, b represents the branch router, and L represents the lab 
number. If, for example, you are on pod 9 and you are preparing for lab 1, copy the 
file p9b1. Use the TFTP address that is listed in the setup table. 


After the branch router has copied the preconfiguration file, execute a show startup- 
config command to display the router configuration that will be used on a reload of 
the branch router. 


Reload the branch router and observe the output. 


Proceed to Task 4. 


Task 4: Preparing the SOHO Router for the Lab 
Preconfiguration 
This task prepares the SOHO Router for the lab preconfiguration. 


Exercise Procedure 


Complete these steps: 


Step 1 


Step 2 


Step 3 


Connect to the console of the SOHO router for your pod. 


Configure the LAN interface of the SOHO router with the IP address and subnet 
mask that is listed in the setup tables. Do not forget to enable the interface with the 
no shutdown command. 


Using the copy tftp startup-config command, load the preconfiguration file on the 
SOHO router. The filename is formatted as pXsL, where p represents the pod, X 
represents your pod number, s represents the SOHO router, and L represents the lab 
number. If, for example, you are on pod 9 and you are preparing for lab 1, copy the 
file p9s1. Use the TFTP address that is listed in the setup tables. 
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Step 4 After the SOHO router has copied the preconfiguration file, execute a show startup- 
config command to display the router configuration that will be used on a reload of 
the SOHO router. 


Step 5 Reload the SOHO router and observe the output. 


Exercise Verification 
You have completed this exercise when you have attained these results: 
m Successfully navigated through the BCRAN remote equipment pods 


= Loaded the preconfiguration files onto the central, branch, and SOHO routers from the 
TFTP server 
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Lab Exercise 2-1: Configuring Asynchronous 
Connections with Modems 


Complete the lab exercise to practice what you have learned in the related module. 


Exercise Objective 
On completion of this lab, you will be able to: 


™ Configure an access server for modem connectivity so telecommuters can access the central 
site 


m= Establish a reverse Telnet session to the modem and configure the modem for basic 
asynchronous operations 


™ Configure the router auxiliary port to provide remote access to a router for remote 
configuration and diagnostics 


m™ Set up the branch router to autoconfigure the modem 

m Set up a modem connection, initiated by the central site, to the branch site router via the 
auxiliary port, modeling remote configuration, remote operation, and troubleshooting of 
network resources 


Visual Objective 


The figure illustrates what you will accomplish in this exercise. 


Legend 
POTS 


LAN 
Connection 


Async d 
Modem seen 
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Command List 


The commands used in this exercise are described in the table here. 


Helpful Commands 


Command 


Ctrl-Shift-6, then x 


Description 


Pressing this key combination suspends the current Telnet 
session and returns you to the system command prompt 


debug confmodem 


Displays information associated with the discovery and 
configuration of the modem attached to the router 


disconnect 


Disconnects an active Telnet session 


exec-timeout minutes 
[seconds] 


Sets the interval that the EXEC command interpreter waits until 
user input is detected 


flowcontrol hardware 


Use the CTS/RTS signal lines for flow control 


ip host name number 
address 


Defines a name and associates it with a port or address for 
Telnet. (Use a 2xxx number for the line.) 


login local 


Selects local password checking. Authentication is based on the 
username specified with the username global configuration 
command 


modem autoconfigure 
{type modem-type | 
autodiscovery } 


Sets the line to use the autoconfigure feature to configure an 
attached modem either by specifying the modem type or 
attempting to discover the type automatically 


modem inout 


Sets the line to allow incoming and outgoing connections 


show line 


Displays parameters of a terminal line 


show session 


Displays information about Telnet connections 


speed speed 


Defines the communications speed between the router and the 
modem 


rie ea {o | 1 | 1.5 
2 


Defines the number of stop bits for each byte of asynchronous 
data 


transport input all 


Sets a line to allow all protocols 


username hostname 
Password password 


Sets the username and password for local security reasons 


Scenario 


The central site and the branch site require occasional dialup connection to each other. On the 
central site, you will configure the central router auxiliary port for dialup connectivity and 
manually configure the modem via a reverse Telnet session. On the branch site, you will 
configure the branch router auxiliary port for dialup connectivity and configure the router to 
autoconfigure the attached modem. 
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Setup 


Setup Tasks 


Gather the information shown in this table prior to starting this lab. 


Pod Number 


Information Required 


Example (X is your 
pod number; all 
subnet masks are 


Write in the 
information for your 
pod 


255.255.255.0) 
Central router Your (first) LAN Ethernet 0/0 
interface type 
Central router Your (first) LAN 10.X.0.1 
interface IP 
Central router Aux line number (use 65 
show line command ) | 129 
Central router Analog phone number | 55510nn 
Branch router Your (first) LAN FastEthernetO 
interface type EthernetO 
Branch router Your (first) LAN 10.X.10.2 
interface IP 
Branch router Aux line number 5 
Branch router Analog phone number | 55510nn 


From your PC, establish a Telnet session on the terminal server and open a console connection 


to the branch router of your pod. 


From your PC, establish a Telnet session on the terminal server again and open a second 
console connection to the central router of your pod. 


You will now be able to configure and observe output on both routers simultaneously. 


Use the TFTP facility to copy the appropriate preconfiguration files to the central and branch 
routers, and reload the routers. 


Determine the terminal line number for the auxiliary port on both the central and branch routers 


using the show line command. Enter the information in the setup table for reference during 


the lab. 
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Task 1: Configuring the Auxiliary Port and Line Connectivity on 
the Central Router 


To maximize the availability of the central router interfaces, you will configure the auxiliary 


port to connect to the modem via a rollover cable and a DCE modem adapter. 


Exercise Procedure 


Complete the following steps: 


Step 1 Configure the central router with the username central_X (where X is the pod 


number) and the password cisco. 


Step 2 Configure the auxiliary interface security settings to challenge users based on the 


local username. 


Step 3 Configure the auxiliary interface to allow incoming and outgoing modem 
connections. 


Step 4 Configure the auxiliary interface to allow any input transport protocol. 


Step 5 Configure the auxiliary interface to set the line speed between router and modem to 


115200 bps. The default is 9600 bps. 


Step 6 Configure the auxiliary interface to use | stop bit and CTS/RTS flow control. 


Step 7 Verify your configuration and the line settings. 


If you are using a Cisco 3600 Series router, your output will look similar to this: 


Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise 

Overruns Int 

* 0 CTY - = - - - 0) 0 
65 TTY - inout - 7 7 0 0 
66 TTY - inout = = 7 0 0 
67 TTY - inout = = 7 0 0 
68 TTY - inout = = a 0 0 
69 TTY - inout - - 7 0 0 
70 TTY - inout - - 7 0 0 
129 AUX 115200/115200- inout - - 7 0 1 
130 VTY - - i = 0 0 
131) VTY - - i : : 0 0 
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Line(s) not in async mode -or- with no hardware support: 


1-64, 


71-128 


If you are using a Cisco 2600 Series router, your output will look similar to this: 


Tty Typ 
Overruns 


* 


0 


65 


66 


67 


68 


69 


70 


Step 8 


Note 


Step 9 


Step 10 


CTY 


AUX 


Tx/Rx A Modem Roty AccO AccI 


Int 


115200/115200- inout 


Uses Noise 


0 0 0/0 
0 1 0/0 
0 0 0/0 
0 0 0/0 
0 0 0/0 
0 0 0/0 
0 0 0/0 


To simplify the reverse Telnet connection, create a static host entry called modem 
with the ip host command. Use as the port number 2000 + your TTY number, and 
use the IP address of the central router LAN interface. For example, if you have a 
Cisco 2600 Series router in your pod and the TTY number of the auxiliary port is 65, 
the port number will be 2065. 


The name used here is “modem” but it can be any name you choose. The TCP port number 
2129 specifies a port the Telnet protocol will use to establish a connection to line 129 (TCP 
port 2000 + line number is a Cisco standard). The alias address that the ip host command 
references is the IP address of a valid interface that is up. In this case, the interface is the 
LAN interface, but it is common to use a loopback interface. Refer to the setup table for this 


lab for the correct interface IP address. 


Save your configuration to NVRAM. 


Proceed to Task 2. 
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Task 2: Configuring the Central Site Modem 


There are several ways to configure a modem. In this example, you will initiate a reverse Telnet 
connection. 


Exercise Procedure 


Complete the following steps: 


Step1 From the central router, type modem, which is the host alias you just configured. This 
action connects you to the modem on the TTY line associated with your auxiliary port 
via reverse Telnet. Troubleshoot if necessary. 


Step 2 The login local command prompts for a username and password. Enter the username 
central_X and the password cisco, then press Return. 


Step 3 Enter AT and press Return. Observe that you receive an OK from the modem. AT 
commands differ by manufacturer. The AT commands used in this exercise are 
specific to a U.S. Robotics modem. 


Step 4 Describe the function of the AT commands shown here. Commands are not case 
sensitive. Notice that typing $ provides useful help for the various AT commands. 


1. AT$ 
2. AT&S$ 
3. ATDS$ 


Write the function of each command in the space provided. Remember that you can 
use the $ feature. 


4. AT&F 
5. ATI4 

6. ATI5S 

7. ATZ3 

8. ATS0=2 
9. AT&W 
10. ATDT 


Step5 Enter the AT&F and ATZ3 commands to load and reset the original factory defaults 
for the modem. 


Step6 Enter the ATI4 command to display the current settings for the modem. The output 
should be similar to the following: 


ati4 

U.S. Robotics 56K FAX EXT Settings... 
BO El Fl M1 QO V1 X1 YO 
BAUD=115200 PARITY=N WORDLEN=8 
DIAL=TONE ON HOOK CID=0 
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&Al &BO &Cl &D2 

&M4 &NO &PO &R1 

S00=000 S01=000 
S06=004 

S07=060 S08=002 
$13=000 

$15=000 S16=000 
$23=019 

S$25=005 S27=000 
$32=002 

S33=000 S34=000 
S40=001 

S41=000 S42=000 


LAST DIALED #: 


OK 


Step 7 
invoke on the modem. 


ATS0=2 
AT&C1 
AT&D2 
AT&H1 
ATE&R2 
AT&M4 
AT&B1 
AT&K1 
AT&N6 


Note 


S02=043 


S09=006 


S$18=000 


S28=-008 


$35=000 


&HO 
&T5 


&I0 
&U0 


S03=013 


$10=014 


S19=000 


$29=020 


S36=014 


ATSO=2 &C1l &D2 &H1 &R2 &M4 &B1 &K1 &N6 


Step 8 


should now be similar to the following: 


ati4 


U.S. Robotics 56K FAX EXT Settings... 


BO El Fl M1 QO 
BAUD=115200 
DIAL=TONE 

&Al &Bl 


&C1l &D2 
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ON HOOK 


Vl x4 


&GO 


&H1 


YO 


PARITY=N WORDLEN=8 
CID=0 


&I0 


&K1 

&Y1 

S04=010 S05=008 
$11=070 S12=050 
$21=010 S22=017 
S30=000 S31=128 
S38=000 S39=000 


Enter the following commands in the sequence given to specify the parameters to 


You could also carefully enter the following commands in the specified sequence: 


Enter the ATI4 command to display the current settings for the modem. The output 


&K1 
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Step 9 


Step 10 


Note 


Step 11 


Step 12 


Step 13 


&M4 &N6 &PO &R2 &SO &T5 &U0 &Y1 


S00=002 S01=000 S02=043 S03=013 S04=010 S05=008 
S06=004 


S07=060 S08=002 S09=006 S10=014 S11=070 S12=050 
$13=000 


$15=000 S16=000 S18=000 S19=000 S21=010 S22=017 
$23=019 


S$25=005 S27=000 S28=008 S29=020 S30=000 S$31=128 
$32=002 


S33=000 S34=000 S35=000 S36=014 S38=000 S39=000 
$40=001 


S41=000 S42=000 


LAST DIALED #: 


OK 


Save the setting to NVRAM with the AT&W command. 


Press Ctrl-Shift-6, and then x, to exit the reverse Telnet session. 


If you are doing the labs remotely, you may not be able to terminate the reverse Telnet 
session properly. Try pressing the Ctrl-Shift-6 sequence twice, and then pressing x (Ctrl- 
Shift-6, Ctrl-Shift-6, x). 


Enter the show session command to display the Telnet sessions that are currently 
active. 


Enter the disconnect command to clear the reverse Telnet session. (This 1s a critical 
command. If you fail to disconnect, you will be unable to reconnect.) 


Proceed to Task 3. 
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Task 3: Configuring the Branch Router Auxiliary Interface 


This task will configure the branch router auxiliary interface including security settings. 


Exercise Procedure 


Complete the following steps: 


Step 1 


Step 2 


Step 3 


Step 4 
Step 5 
Step 6 


Step 7 


Configure the branch router with the local username branch_X (where X is the pod 


number) and the password cisco. 


Configure the auxiliary interface security settings to challenge users based on the 


local username. 


Configure the auxiliary interface to allow incoming and outgoing modem 


connections. 


Configure the auxiliary interface to allow any incoming transport protocol. 


115200 bps. The default is 9600 bps. 


Configure the auxiliary interface to use | stop bit and CTS/RTS flow control. 


Verify your configuration and the line settings. The output should look similar to the 


following: 
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise 
Overruns Int 
* 0 CTY 7 - - 7 7 0 0 
0/0 - 
5 AUX 115200/115200- inout - - - 0 1 
0/0 - 
6 VTY = = - 7 = 0 0 
0/0 - 
7 *VTY - 7 - - = 0 0 
0/0 = 
8 VTY = 7 - 7 - 0 0 
0/0 = 
9 VTY 7 7 - - 3 0 0 
0/0 = 
10 VTY 7 = - 7 = 0 0 
0/0 = 


Line(s) not in async mode 
1-4 


-or- with 


no hardware support: 


To simplify the reverse Telnet connection, create a static host entry called modem using the ip 
host command. Use the port number 2005 and use the IP address of the branch router LAN 


interface. 
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Note 


Step 8 


Step 9 


The name is “modem,” but it can be any name you choose. The TCP port number 2005 


specifies a port that the Telnet protocol will use to establish a connection to line 5 (TCP port 


2000 + line number is a Cisco standard). The alias address that the ip host command 
references is the IP address of a valid interface that is up. In this case, the interface is the 
LAN interface, but it is common to use a loopback interface. Refer to the setup table in this 


exercise for the correct interface IP address. 


Save your configuration to NVRAM. 


Proceed to Task 4. 


Task 4: Configuring the Branch Modem 


To configure the branch modem, you will enable the router to configure the modem 


automatically instead of initiating a reverse Telnet session and manually configuring the 
modem. 


Exercise Procedure 


Complete the following steps: 


Step 1 


Step 2 


Note 


Step 3 


Step 4 


Step 5 


Enter the debug confmodem command to turn on modem configuration debugging. 


Doing so will display the modem autodetection sequence. 


Enter the configuration mode and configure the modem line as follows: 


line aux 0 
modem autoconfigure type usr_sportster 


Instead of autoconfiguring a specific type of modem, you could let the router automatically 
discover the modem type. To do so, use the modem autoconfigure discovery command 


instead of the modem autoconfigure type name command. 


In a few seconds, you should see messages from the debug confmodem command 


you entered in Step 1. The output should look similar to the following: 


TTY5: 
TTY5: 
TTY5: 
TTY5: 
TTY5: 


detection speed (115200) response ---OK--- 


Modem command: --AT&F&C1&D2&H1&R2&M4&K1&B1S0=1H0- - 


Modem configuration succeeded 
detection speed (115200) response ---OK--- 


Done with modem configuration 


Save the configuration to NVRAM. 


Proceed to Task 5. 
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Task 5: Testing the Configuration 


This task will now test the configuration. 


Exercise Procedure 


Complete the following steps: 


Step 1 
Step 2 
Step 3 


Step 4 


Step 5 


Note 


Step 6 


Step 7 


Step 8 


Step 9 


Note 


Step 10 


From the central site router, enter modem at the command prompt. 
When prompted for a username, enter central_X and the password cisco. 
Enter AT and press Return. Observe that you receive an OK from the modem. 


Initiate a call to the branch router. If the telephone number to reach the branch router 
were 555-1004, then you would enter ATDT5551004. Use the number that is listed in 
the setup table. 


Eventually you should see this message: 
CONNECT 9600/ARQ 


It will be followed by a prompt for a username. Modems typically require 
approximately 30 seconds to connect. During this time, they are negotiating 
parameters such as line speed, data compression, and data encryption. 


You may have to repeat Steps 4 and 5 more than once to get the desired result. 
Enter the valid username branch_X and the password cisco to connect to the branch 
router. 


You will now be at the branch prompt. Verify that you can access the privileged 
EXEC mode. 


Enter exit to finish the session. You should now see the central site modem prompt. 


Press Ctr]-Shift-6, and then x, to exit the reverse Telnet session. 


If you are doing the lab remotely, you may not be able to terminate the reverse Telnet 
session properly. Try pressing the Ctrl-Shift-6 sequence twice, and then x (Ctrl-Shift-6, 
Ctrl-Shift-6, x). 


Enter the disconnect command to terminate the active Telnet session. 
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Exercise Verification 


You have completed this exercise when you attain these results: 


On the central router, verify that your configuration contains lines similar to the following: 


On the branch router, verify that your configuration contains lines similar to the following: 


Set up the branch router to autoconfigure the modem 


username central_X password cisco 


ip host modem 2XXX 10.X.0.1 


line aux 0 

login local 

modem InOut 
transport input all 
speed 115200 
stopbits 1 


flowcontrol hardware 


username branch_X password 0 cisco 


ip host modem 2XXX 10.X.10.2 


line aux 0 

login local 

modem InOut 
transport input all 
speed 115200 
stopbits 1 


flowcontrol hardware 


Established a working modem connection between the branch site and the central site 


Configured an access server for modem connectivity so telecommuters can access the 
central site 


Connected to a modem via a reverse Telnet session and configured it for basic 
asynchronous operations 


! Task 1 Step 1 


Task 1 Step 


! Task 1 Step 2 

! Task 1 Step 3 
Task 1 Step 4 

! Task 1 Step 5 
Task 1 Step 6 
Task 1 Step 6 


Task 3 Step 1 


Task 3 Step 8 


! Task 3 Step 2 

! Task 3 Step 3 
Task 3 Step 4 

! Task 3 Step 5 
Task 3 Step 6 
Task 3 Step 6 


modem autoconfigure type usr_sportster ! Task 4 Step 2 
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Lab Exercise Answer Key 


Lab Exercise 2-1: Configuring Asynchronous Connections with Modems 


When you complete this lab exercise, your router configuration will be similar to the following, 
with differences that are specific to your pod. 


Branch Router End Configuration 
version 12.2 


service timestamps debug uptime 
service timestamps log uptime 

no service password-encryption 

! 

hostname branch_3 

! 

enable secret 5 $1$7AQ1S$PIsjyaTKxaEoZv/r4vfQu. 
! 

username branch_3 password 0 cisco 
mmi polling-interval 60 

no mmi auto-configure 

no mmi pvc 

mmi snmp-timeout 180 


ip subnet-zero 


no ip domain-lookup 


ip host modem 2005 10.3.10.2 


ip ssh time-out 120 


ip ssh authentication-retries 3 


! 

interface BRIO 

no ip address 

shutdown 

no cdp enable 

! 

interface FastEtherneto 


description This is the ethernet network for the branch 
router 
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ip address 10.3.10.2 255.255.255.0 
speed auto 

no cdp enable 

! 

interface Serialod 

no ip address 

shutdown 

no cdp enable 

! 

interface Seriall 

no ip address 

shutdown 

no cdp enable 

! 

ip classless 
no ip http server 

ip pim bidir-enable 

! 

! 

no cdp run 
! 
banner motd * 
Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 


branch branch branch branch branch branch branch branch 


Notes from the instructor: 


All local passwords should be set to "cisco" 


branch branch branch branch branch branch branch branch 


Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 


A 
! 
line con 0 

exec-timeout 30 0 

logging synchronous level all 
history size 200 

line aux 0 

login local 


modem InOut 
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modem autoconfigure type usr_sportster 
transport input all 
stopbits 1 

speed 115200 
flowcontrol hardware 
line vty 0 4 
exec-timeout 30 0 
password cisco 
logging synchronous 
login 

history size 200 

! 


end 


Central Router End Configuration 
version 12.2 


service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 
hostname central _3 
! 
enable secret 5 $1$ds.DSnré5ungkf1UNYSSResgQq/ 
! 
username central_3 password 0 cisco 
ip subnet-zero 
! 
! 
no ip domain-lookup 
ip host modem 2129 10.3.0.1 
! 
! 
call rsvp-sync 
! 
! 
! 
! 
! 
! 
controller T1 1/0 
framing sf 


linecode ami 
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! 
! 
! 
interface Ethernet0/0 


description This is the ethernet network for the central 
router 


ip address 10.3.0.1 255.255.255.0 
half-duplex 

no cdp enable 

! 

interface Ethernet0/1 
no ip address 
shutdown 
half-duplex 

no cdp enable 

! 

interface Serial3/0 
no ip address 
shutdown 

no cdp enable 

! 

interface Serial3/1 
no ip address 
shutdown 

no cdp enable 

! 

interface Serial3/2 
no ip address 
shutdown 

no cdp enable 

! 

interface Serial3/3 
no ip address 
shutdown 

no cdp enable 

! 

ip classless 

no ip http server 

! 

no cdp run 

! 
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dial-peer cor custom 
! 

! 

! 

! 

banner motd ~* 

Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 


central central central central central central central 
central 


Notes from the instructor: 


All local passwords should be set to "cisco" 


central central central central central central central 
central 


Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 Lab2 


A 
! 
line con 0 

exec-timeout 30 0 

logging synchronous level all 
history size 200 
line 65 70 

flush-at-activation 
line aux 0 

login local 

modem InOut 

transport input all 

stopbits 1 

speed 115200 

flowcontrol hardware 

line vty 0 4 

exec-timeout 30 0 

password cisco 

logging synchronous 

login 


history size 200 


end 
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Lab Exercise 3-1: Configuring and Verifying PPP 
Operations 


Complete the lab exercise to practice what you learned in the related module. 


Exercise Objective 


On completion of this lab, you will be able to: 


Configure PPP over a dedicated link to allow exchange of data between sites 
Configure PAP or CHAP authentication to allow access to a secure site 


Verify proper configuration and troubleshoot an incorrect configuration so data travels as 
intended across the PPP link 


Display network operational parameters using the appropriate show and debug commands 


so that you can detect anomalies 


Visual Objective 


The figure illustrates what you will accomplish in this exercise. 


Packet-Switched Contral 
Services 


Legend 
Serial ee | 


LAN 
Connection 
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Command List 


The commands used in this exercise are described in the table here. 


Helpful Commands 


Command 


debug ppp 
authentication 


Description 


Enables PPP authentication debugging 


debug ppp negotiation 


Enables PPP negotiation debugging 


encapsulation ppp 


Encapsulates PPP on the interface 


ip address ip-address 
mask 


Assigns an IP address to an interface 


ppp authentication 
chap 


Sets Challenge Handshake Authentication protocol (CHAP) as the 
PPP authentication method 


Ppp authentication pap 


Sets Password Authentication Protocol (PAP) as the PPP 
authentication method 


Ppp pap sent-username 
username password 
password 


Defines the username and password to send to the peer for 
authentication 


ppp reliable-link 


Enables Link Access procedure on the data (D) channel (Link 
Access Procedure, Balanced [LAPB]) on a PPP Link 


show interface 
interface 


Displays the configuration of an interface 


undebug all 


Disables all debugging 


username username 
password password 


Sets the username and password on the router for authentication 


Scenario 


You will configure the serial connection between the central and branch routers to forward IP 
traffic using PPP encapsulation. The site has selected PPP to take advantage of the security, 
troubleshooting, and transport protocol-independent features within PPP. Security is 
implemented first with PAP, then with CHAP. You will examine debugging output to become 
familiar with the PPP authentication and negotiation processes in the Cisco IOS software. 
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Note PPP is most commonly seen in dialup scenarios. This module uses a permanent serial 
connection so that you can focus on the PPP protocol itself, without the added complexity of 
asynchronous or ISDN dial-on-demand routing (DDR). 
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Setup 


Setup Tasks 


Gather the information shown in this table prior to starting this lab. 


Pod Number 


Information Required 


Example (X is your 
pod number; all 
subnet masks are 


Write in the 
information for your 
pod 


255.255.255.0) 

Central router Your (first) LAN Ethernet 0/0 
interface type 

Central router Your (first) LAN 10.X.0.1 
interface IP 

Central router Your (first) WAN Serial 0/0 
interface type Serial 3/0 

Central router Your (first) WAN 10.X.160.1 
interface IP 

Branch router Your (first) LAN FastEthernetO 
interface type 

Branch router Your (first) LAN 10.X.10.2 
interface IP 

Branch router Your (first) WAN Serial 0 
interface type 

Branch router Your (first) WAN 10.X.160.2 
interface IP 


From your PC, establish a Telnet session on the terminal server and open a console connection 
to the branch router of your pod. 


From your PC, establish a Telnet session on the terminal server again and open a second 
console connection to the central router of your pod. 


You will now be able to configure and observe output on both routers simultaneously. 


Use the TFTP facility to copy the appropriate preconfiguration files to the central and branch 
routers and reload the routers. 
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Task 1: Enabling PPP Debugging and Activating the Link 


This task enables PPP debugging and activates the link. 


Exercise Procedure 


Complete the following steps: 


30 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Step 7 


Enable PPP negotiation debugging on the branch router and observe the output 
while completing the next steps. 


Enable the PPP protocol on the serial interface at the branch router. 


Enable the serial interface on the branch router, which was administratively shut 
down from the preconfiguration so that the PPP initialization process could be 
observed. 


Enable PPP negotiation debugging on the central router and observe the output 
while completing the next steps. 


Enable the PPP protocol on the serial interface at the central router. 


Enable the serial interface on the central router, which was administratively shut 
down from the preconfiguration so that the PPP initialization process could be 
observed. 


Enter the no shutdown command for the serial interface on the central router. As 
soon as you have entered the no shutdown command and both endpoints of the link 
are active, the debug ppp negotiation command should start displaying PPP 
negotiation output. Carefully inspect the output. 


The central router debug output should be similar to the following: 


01:30: 
01:30: 


01:30: 
load] 


01:30: 
01:30: 
01:30: 
01:30: 
01:30: 
01:30: 
01:30: 
01:30: 
01:30: 
01:30: 
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55: 
55: 
55: 


55: 
55: 
55: 
55: 
55: 
55: 
55: 
55: 
55: 
55: 


Se0/0 PPP: Using default call direction 
Se0/0 PPP: Treating connection as a dedicated line 


Se0/0 PPP: Phase is ESTABLISHING, Active Open [0 sess, 0 


Se0/0 LCP: O CONFREQ [Closed] id 1 len 10 

Se0/0 LCP: MagicNumber Ox05EEE7D5 (0x050605EEE7D5) 
Se0/0 LCP: I CONFREQ [REQsent] id 1 len 10 

Se0/0 LCP: MagicNumber Ox09F99A7A (0x050609F99A7A) 
Se0/0 LCP: O CONFACK [REQsent] id 1 len 10 

Se0/0 LCP: MagicNumber Ox09F99A7A (0x050609F99A7A) 
Se0/0 LCP: I CONFACK [ACKsent] id 1 len 10 

Se0/0 LCP: MagicNumber Ox05EEE7D5 (0x050605EEE7D5) 
Se0/0 LCP: State is Open 

Se0/0 PPP: Phase is UP [0 sess, 0 load] 
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The branch router debug output should be similar to the following: 


00: 
00: 
00: 
00: 
00: 
00: 
00: 
00: 
00: 
00: 
00: 
00: 
00: 
00: 


18: 
18: 
18: 
18: 
18: 
18: 
18: 
18: 
18: 
18: 
18: 
18: 
18: 
18: 


Note 


Step 8 


53: 
53: 
53: 
53: 
53: 
53: 
53: 
53: 
53: 
53: 
53: 
53: 
53: 
53: 


Sed 
Sed 
Sed 
Sed 
Sed 
Sed 
Sed 
Sed 
Sed 
Sed 
Sed 
Sed 
Sed 
Sed 


PPP: 
PPP: 
LCP: 
LCP: 
LCP: 
LCP: 
LCP: 
LCP: 
LCP: 
LCP: 
LCP: 
PPP: 
PPP: 
PPP: 


Treating connection as a dedicated line 


Phase 


is ESTABLISHING, Active Open 


O CONFREQ [Closed] id 1 len 10 


MagicNumber Ox09F99A7A (0x050609F99A7A) 


I CONFREQ [REQsent] id 1 len 10 


MagicNumber Ox05EEE7D5 (0x050605EEE7D5) 


O CONFACK [REQsent] id 1 len 10 


MagicNumber Ox05EEE7D5 (0x050605EEE7D5) 


I CONFACK [ACKsent] id 1 len 10 


MagicNumber Ox09F99A7A (0x050609F99A7A) 


State 
Phase 
Phase 


Phase 


is Open 

is FORWARDING, Attempting Forward 
is ESTABLISHING, Finish LCP 

is UP 


The debug ppp negotiation command displays a great deal of valuable information. Notice 
specifically that the LCP phase completes before PPP goes up and the interface moves to 
the up and up state. 


Proceed to Task 2. 


Task 2: Configuring PPP for the IP Protocol and Verifying the 
Connection 


This task configures PPP for IP and will verify the connection. 


Exercise Procedure 
Complete the following steps: 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Disable the serial link at the central router and observe the debug output. Note that 
only the PPP and LCP protocols were running and are now terminating. 


Configure the branch router serial interface with the appropriate IP address. 


Configure the central router serial interface with the appropriate IP address. 


Enable the central router serial interface. Notice that because you have now 
configured an IP address and the IP protocol has been enabled on the interface, there 
are now additional negotiations for IPCP after PPP is up. 


Verify IP connectivity by pinging the central router from the branch router. 
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Step 6 


Step 7 


Step 8 


Step 9 


Inspect the configuration for the serial interface by entering the show interface 
command. The output should be similar to the following: 


<Output omitted> 
Encapsulation PPP, loopback not set 
Keepalive set (10 sec) 
LCP Open 
Open: IPCP 


<Output omitted> 
Note the states of the LCP and the configured NCPs. 


Which command will turn off all debugging? 


Disable debugging on both routers. 


Proceed to Task 3. 


Task 3: Adding PAP Authentication to the Link 


The following steps will configure the link to use PAP authentication and improve security. 


Exercise Procedure 


Complete these steps: 
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Note 


Step 1 


Step 2 


Step 3 


Step 4 


Note 


Step 5 


Note 


Be sure that all debugging has been disabled prior to starting this exercise. 


Shut down the serial interface at the central router, which will allow you to examine 
the PAP authentication. 


Configure PAP authentication, using the command list, on the central router serial 
interface. 


Configure the central router to send its hostname and the password cisco using the 
command list. 


On the central router, create a username and password for the branch router. Use the 
username of the branch router in your pod and the password cisco. 


Because PAP sends passwords unencrypted, it is good security practice to use different 
PAP passwords in each direction. Also, keep in mind that both the username and password 
are case sensitive. 


On the branch router, configure PPP PAP authentication on the router serial 
interface. 


Disregard warning messages similar to the following: 
AAA: Warning, authentication list "default" is not defined for PPP. 
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Step 6 


Step 7 


Step 8 


Step 9 
Step 10 


Step 11 


Step 12 


Configure the branch router, using the command list, to send the PAP username of 
the branch router hostname and the password cisco. 


Create a username and password for the central router. Use the username of the 
central router in your pod and the password cisco. 


Which command will enable PPP authentication debugging on the router? 


Enable debugging of PPP authentication on the central router. 
Re-enable the central router serial interface. 


Observe the output of the debug ppp authentication command on the router. The 
output should be similar to the following: 


04:04:03: *LINK-3-UPDOWN: Interface Serial0/0, changed state 
to up 


04:04:03: Serial interface PPP: Treating connection as a 
dedicated line 


04:04:03: Serial interface PAP: O AUTH-REQ id 3 len 19 from 
"Central" 


04:04:03: Serial interface PAP: I AUTH-REQ id 3 len 17 from 
"Branch" 


04:04:03: Serial interface PAP: Authenticating peer Branch 
04:04:03: Serial interface PAP: O AUTH-ACK id 3 len 5 
04:04:03: Serial interface PAP: I AUTH-ACK id 3 len 5 


04:04:04: *LINEPROTO-5-UPDOWN: Line protocol on Interface 
SerialxX/X, changed state to up 


Proceed to Task 4. 


Task 4: Changing the Authentication from PAP to CHAP 


The following steps will covert the serial link from PAP to CHAP authentication. 


Exercise Procedure 


Complete these steps: 


Step 1 
Step 2 
Step 3 


Step 4 


Step 5 


Step 6 
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Disable the central router serial interface. 
Remove PPP PAP authentication. 
Activate CHAP authentication at the central router. 


Which command will enable CHAP authentication on the PPP link? 


On the branch router, remove PPP authentication PAP and then activate CHAP 
authentication. 


On the central router, enable the central router serial interface. 
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Step 7 Observe the output of the debug ppp authentication command on the router. The 
output should be similar to the following: 


01:04:48: Se3/0 PPP: Using default call direction 

01:04:48: Se3/0 PPP: Treating connection as a dedicated line 
01:04:48: Se3/0 CHAP: O CHALLENGE id 1 len 30 from "central_X" 
01:04:48: Se3/0 CHAP: 
01:04:48: Se3/0 CHAP: 


I CHALLENGE id 1 len 29 from "branch_X" 
0 
01:04:48: Se3/0 CHAP: I RESPONSE id 1 len 29 from "branch_X" 
(0) 
I 


RESPONSE id 1 len 30 from "central_xX" 


01:04:48: Se3/0 CHAP: SUCCESS id 1 len 4 


01:04:48: Se3/0 CHAP: SUCCESS id 1 len 


Note You do not need to alter the ppp pap sent-username configuration command because it 
applies only to PAP and not CHAP. 


Step 8 On the central router, use the show interface command to verify that the link comes 
up correctly. 
Step 9 Disable all debugging at the central router. 


Step10 Proceed to Task 5. 


Optional Task 5: Changing LCP Parameters and Observing 
Renegotiation 


In tasks 1 through 4, you administratively shut down one end of the link before making any 
changes. This shutdown was done solely to simplify the debugging output. PPP does not 
require that an interface be shut down to reconfigure it. In this task, you will make a change to a 
running link and watch LCP renegotiate, along with any NCPs. 


Exercise Procedure 
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Complete these steps: 
Step 1 Enable the debug ppp negotiation command on both routers. 


Step 2 At the central router, configure the PPP serial interface for LAPB using the ppp 
reliable-link command. 


Note The LCP reliable transmission option is shown in this exercise as an example of an optional 
LCP parameter. It is rarely used in practice because the extra overhead that it imposes is 
not justified on modern high-quality transmission media. 


Step 3 Notice that LCP immediately restarts its negotiation phase. Keep in mind that you 
have reconfigured only one side for reliable mode. Do you expect it to work? Your 
output should be similar to the following: 


*Mar 1 03:56:18.055: Se0/0 IPCP: State is Closed 
*Mar 1 03:56:18.055: Se0/0 CDPCP: State is Closed 
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*Mar 1 03:56:18.055: Se0/0 PPP: Phase is ESTABLISHING, 
renegotiate LCP 


*Mar 1 03:56:18.055: Se0/0 LCP: O CONFREQ [Closed] id 20 len 


19 

*Mar 1 03:56:18.055: Se0/0 LCP: AuthProto CHAP 
(0x0305C22305) 

*Mar 1 03:56:18.055: Se0/0 LCP: MagicNumber 0x11018D3B 
(0x050611018D3B) 

*Mar 1 03:56:18.055: Se0/0 LCP: ReliableLink window 7 addr 


0 (0x0B040700) 
*Mar 1 03:56:18.055: Se0/0 IPCP: Remove route to 192.168.1.2 
*Mar 1 03:56:18.063: Se0/0 LCP: I CONFREQ [REQsent] id 96 len 


15 

*Mar 1 03:56:18.063: Se0/0 LCP: AuthProto CHAP 
(0x0305C22305) 

*Mar 1 03:56:18.063: Se0/0 LCP: MagicNumber 0x50E77B84 
(0x050650E77B84) 

*Mar 1 03:56:18.063: Se0/0 LCP: O CONFACK [REQsent] id 96 len 
15 

*Mar 1 03:56:18.063: Se0/0 LCP: AuthProto CHAP 
(0x0305C22305) 

*Mar 1 03:56:18.063: Se0/0 LCP: MagicNumber 0x50E77B84 
(0x050650E77B84) 

*Mar 1 03:56:18.063: Se0/0 LCP: I CONFREJ [ACKsent] id 20 len 
8 

*Mar 1 03:56:18.063: Se0/0 LCP: ReliableLink window 7 addr 


0 (0x0B040700) 
*Mar 1 03:56:18.063: Se0/0 LCP: O CONFREQ [ACKsent] id 21 len 


15 

*Mar 1 03:56:18.063: Se0/0 LCP: AuthProto CHAP 
(0x0305C22305) 

*Mar 1 03:56:18.063: Se0/0 LCP: MagicNumber 0x11018D3B 
(0x050611018D3B) 

*Mar 1 03:56:18.071: Se0/0 LCP: I CONFACK [ACKsent] id 21 len 
15 

*Mar 1 03:56:18.071: Se0/0 LCP: AuthProto CHAP 
(0x0305C22305) 

*Mar 1 03:56:18.071: Se0/0 LCP: MagicNumber 0x11018D3B 
(0x050611018D3B) 


*Mar 1 03:56:18.071: Se0/0 LCP: State is Open 


(PPP negotiation continues with the authentication and NCP phases.) 
In this example, the branch router is not configured for reliable mode and therefore rejects the 


configuration request. The central router then resends its configuration request without the 
rejected option, and the link comes up normally. 
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Exercise Verification 
You have completed this exercise when you have attained these results: 
= Configured PPP over a dedicated link 
= Configured PAP or CHAP authentication to allow access to a secure site 
m™ Verified proper configuration so that IP data travels as intended across the PPP link 


m= Used various show and debug commands to display network operational parameters 


On the central router, verify that your configuration contains lines similar to the following: 


username branch_X password 0 cisco ! Task 3 Step 4 


interface Serialx/0 


encapsulation ppp ! Task 1 Step 5 
ip address 10.X.160.1 255.255.255.0 ! Task 2 Step 3 
ppp authentication chap ! Task 4 Step 3 
ppp pap sent-username central_X password Cisco ! Task 3 Step 3 
ppp reliable-link ! Task 5 Step 2 

no shutdown ! Task 4 Step 5 


On the branch router, verify that your configuration contains lines similar to the following: 


username central_X password 0 cisco ! Task 3 Step 7 


interface Serial0 


ip address 10.X.160.2 255.255.255.0 ! Task 2 Step 2 
encapsulation ppp ! Task 1 Step 2 
ppp authentication chap ! Task 4 Step 4 
Ppp pap sent-username branch_X password cisco ! Task 3 Step 6 
no shutdown ! Task 1 Step 3 
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Lab Exercise Answer Key 
Lab Exercise 3-1: Configuring and Verifying PPP Operations 


When you complete this lab exercise, your router configuration will be similar to the following, 


with differences that are specific to your pod. 


Branch Router End Configuration 
version 12.2 


service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 

hostname branch_3 

! 

enable secret 5 $1SEyIES59RGCc2IGAa9TZbPt59/u/ 
! 
username central_3 password 0 cisco 
mmi polling-interval 60 

no mmi auto-configure 

no mmi pvc 
mmi snmp-timeout 180 

ip subnet-zero 

! 

! 
no ip domain-lookup 

! 

ip ssh time-out 120 

ip ssh authentication-retries 3 
! 

! 

! 

! 

interface BRIO 

no ip address 

shutdown 

no cdp enable 

! 

interface FastEtherneto 


description This is the ethernet network for the branch 
router 


ip address 10.3.10.2 255.255.255.0 


Copyright © 2004, Cisco Systems, Inc. Lab Guide 


37 


speed auto 

no cdp enable 

! 

interface Serialo 


description This interface connects directly to central via a 
serial line 


bandwidth 128 

ip address 10.3.160.2 255.255.255.0 
encapsulation ppp 

no cdp enable 

ppp authentication chap 

Ppp pap sent-username branch_3 password 0 cisco 
! 

interface Seriall 

no ip address 

shutdown 

no cdp enable 

! 

ip classless 

ip route 0.0.0.0 0.0.0.0 10.3.160.1 
no ip http server 


ip pim bidir-enable 


no cdp run 
! 

banner motd ~* 

Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 


branch branch branch branch branch branch branch branch 


Notes from the instructor: 


All local passwords should be set to "cisco" 


branch branch branch branch branch branch branch branch 


Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 


A 
! 
! 


line con 0 
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exec-timeout 30 0 
logging synchronous level all 
history size 200 
line aux 0 

line vty 0 4 
exec-timeout 30 0 
password cisco 
logging synchronous 
login 

history size 200 

! 

no scheduler allocate 


end 


Central Router End Configuration 
version 12.2 


service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 
hostname central _ 3 
! 
enable secret 5 $1$K6/G$YzrM00UiBCxa8UzqGp/XHO 
! 
username branch_3 password 0 cisco 
ip subnet-zero 
! 
! 
no ip domain-lookup 
! 
! 
call rsvp-sync 
! 
! 
! 
! 
! 
! 
controller T1 1/0 
framing sf 


linecode ami 
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! 
! 
interface Ethernet0/0 


description This is the ethernet network for the central 
router 


ip address 10.3.0.1 255.255.255.0 
half-duplex 

no cdp enable 

! 
interface Ethernet0/1 
no ip address 
shutdown 
half-duplex 

no cdp enable 

! 

interface Serial3/0 


description This interface connects directly to branch via a 
serial line 


bandwidth 128 

ip address 10.3.160.1 255.255.255.0 
encapsulation ppp 
clockrate 128000 

no cdp enable 

ppp reliable-link 

ppp authentication chap 
ppp pap sent-username central_3 password 0 cisco 
! 
interface Serial3/1 

no ip address 

shutdown 

no cdp enable 

! 
interface Serial3/2 

no ip address 

shutdown 

no cdp enable 

! 

interface Serial3/3 

no ip address 

shutdown 


no cdp enable 
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ip classless 
ip route 10.3.10.0 255.255.255.0 10.3.160.2 


no ip http server 


no cdp run 


! 

dial-peer cor custom 
i 

! 

! 

! 

banner motd ~* 

Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 


central central central central central central central 
central 


Notes from the instructor: 


All local passwords should be set to "cisco" 


central central central central central central central 
central 


Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab3 Lab4 Lab3 


A 
! 
line con 0 

exec-timeout 30 0 

logging synchronous level all 
history size 200 
line 65 70 

flush-at-activation 

line aux 0 

line vty 0 4 

exec-timeout 30 0 

password cisco 

logging synchronous 

login 


history size 200 


end 
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Lab Exercise 4-1: E-Lab: Simulation for 
Configuring a Cisco 827 Router for NAT with 
PPPoA 


Complete this lab exercise to practice what you learned in the related module. 


Exercise Objective 
Upon completing this exercise, you will be able to: 
m Perform a simulated install procedure 


= Configure a Cisco 827 router for NAT with PPPoA 


Visual Objective 


Use the E-Lab Show Topology button to see your visual objective. 


Scenario 


Refer to the E-Lab for your scenario. 
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Lab Exercise 5-1: Configuring a Site-to-Site 


IPSec VPN Using Preshared Keys 


Complete this lab exercise to practice what you learned in the related module. 


Exercise Objective 
Upon completion of this lab exercise, you will be able to: 
m™ Plan and configure IKE between two sites 
= Configure IPSec between two sites 


m Verify and test an IPSec VPN 


Visual Objective 


The figure illustrates what you will accomplish in this exercise. 


Packet-Switched, 


Analog, ISON, 
and Internet Central 
Services 


ISDN BRI 


LAN 
Connection 
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Command List 


The commands used in this exercise are described in the table here. 
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Configuration Commands 


Command 


authentication [pre-shared 
| rsa-sig | rsa-encr ] 


Description 


Configures the authentication method. Configure Internet Key 
Exchange (IKE) to use preshared keys for this lab. 


clear crypto sa 


clear crypto isakmp 


Deletes the IPSec and Internet Security Association and Key 
Management Protocol (ISAKMP) SAs 


crypto isakmp enable 


Enables the IKE process 


crypto isakmp policy 
priority-number 


Creates IKE policy. Uniquely identifies the IKE policy and 
assigns a priority to the policy. 


crypto isakmp key 
keystring address peer 
address 


Configures a preshared authentication key 


crypto ipsec transform-set 
WORD [ ah-md5-hmac ah- 
sha-hmac esp-des esp- 
md5-hmac | esp-null | esp- 
sha-hmac ] 


Configures transform set suites. Transform sets equal a 
combination of an AH transform, an ESP transform, and the 
IPSec mode (either tunnel or transport mode). 


crypto map map-name 


Applies the crypto map to the IPSec router interface connected to 
the Internet with the crypto map command in interface 
configuration mode 


crypto map map-name seq- 
num ipsec-isakmp 


Configures IPSec crypto map 


debug crypto ipsec 
debug crypto isakmp 


Debugs the ISAKMP and IPSec negotiation and events 


match address ACL-number 


Identifies the extended ACL by its name or number. The value 
should match the access-list number or name argument of a 
previously defined IP-extended access control list (ACL) being 
matched. 


set peer [hostname | ip- 
address] 


Specifies the allowed IPSec peer by IP address or hostname 


set transform-set 
[set _name(s)] 


Specifies the list of transform sets in priority order. For an IPSec 
manual crypto map, you can specify only one transform set. For 
an IPSec-ISAKMP or dynamic crypto map entry, you can specify 
up to six transform sets. 


show crypto isakmp policy 


Displays configured IKE protection policy 


show crypto map 


show crypto ipsec 
transform set 


show crypto ipsec sa 


show crypto isakmp sa 


Displays configured crypto maps, transform sets, and security 
associations 


show crypto engine 
connections active 


Displays a status summary for any active IPSec connections 
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Scenario 


Setup 


Setup Tasks 


Management has decided that communications between the SOHO and branch office requires a 
method of insuring that sensitive corporate data is not being intercepted on the Frame Relay 
link. As the network administrator, you have decided to implement a site-to-site VPN solution. 
The solution that you will be implementing will enable a site-to-site IPSec based VPN to ensure 
confidentiality, integrity, and authentication. In this scenario, the central Site will act as the 
Internet service provider. 


Gather the information shown in this table prior to starting this lab. 


Pod Number Information Required | Example (X is your Write in the 
pod number; all information for your 
subnet masks are pod 
255.255.255.0) 

Central router Your (first) WAN 10.X.160.1 

interface IP 

Central router ISDN number 555X100 

Central router Dialer 2 IP to SOHO 10.X.210.1 

Branch router Your (first) LAN 10.X.10.2 

interface IP 

Branch router Your (first) WAN 10.X.160.2 

interface IP 

SOHO router Your (first) LAN 10.X.100.3 

interface IP 

SOHO router ISDN number 555X300 

SOHO router Dialer 2 IP to central ip unnumbered 
LoopbackO 

SOHO router Loopback 0 IP 10.X.210.3 


From your PC, establish a Telnet connection to the terminal server and open a console 
connection to the central router of your pod. 


From your PC, establish a Telnet connection to the terminal server again and open a second 
console connection to the branch router of your pod. 


From your PC, establish a Telnet connection to the terminal server again and open a third 
console connection to the SOHO router of your pod. 


You will now be able to configure and observe output on all routers simultaneously. 


TFTP the appropriate preconfiguration files on the central, branch, and SOHO routers and 
reload the routers. 


Verify that your branch and central routers each have a serial link connection to each other. 
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Verify that your central and SOHO routers each have an ISDN connection to the ISDN service 


provider. 


Verify that the branch router can successfully execute a ping to the LAN interface of the SOHO 


router. 


Verify that the SOHO router can successfully execute a ping to the LAN interface of the branch 


router. 


Task 1: Configure IKE on the Central Router 


Use the following steps to configure IKE on the central router. 


Exercise Procedure 


Complete these steps: 


Step 1 On the branch router, plan the parameters for IKE. (The default values are in bold.) 
Parameter Branch Site SOHO Office 
Key distribution method—manual or isakmp isakmp isakmp 
Encryption algorithm—DES or 3DES DES DES 
Hash algorithm—MD5 or SHA-1 SHA-1 SHA-1 
Authentication method—Pre-share or RSA pre-share pre-share 
Key exchange—D-H Group 1 or 2 Group 1 Group 1 
IKE SA Lifetime—86400 seconds or less 86400 86400 
Peer IP Address 10.X.210.3 10.X.160.2 

Step 2 Using the command list, enable IKE on the branch router. 

Step 3 Using the command list, create an IKE policy with a priority of 100 using preshared 

keys as the method of authentication. 

Step 4 Configure the preshared key to be cisco1234, using the Loopback 0 IP of the SOHO 

router as the address of your peer. 

Note A given preshared key is a private key shared between two peers. At a given peer you could 
specify the same key to share with multiple remote peers; however, a more secure approach 
is to specify different keys to share between different pairs of peers. 

Step 5 Save the branch router configuration. 

Step 6 To verify the branch router IKE policy, which command would you use? 

Step 7 Your configuration output should look similar to the following: 

Protection suite of priority 100 
encryption algorithm: DES - Data Encryption Standard 
(56 bit keys). 
hash algorithm: Secure Hash Standard 
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Step 8 


authentication method: 


Diffie-Hellman group: 
lifetime: 
Default protection suite 


encryption algorithm: 
(56 bit keys). 


hash algorithm: 


authentication method: 


Signature 
Diffie-Hellman group: 


lifetime: 


Proceed to Task 2. 


Pre-Shared Key 
#1 (768 bit) 


86400 seconds, no volume limit 


DES - Data Encryption Standard 


Secure Hash Standard 


Rivest-Shamir-Adleman 


#1 (768 bit) 


86400 seconds, no volume limit 


Task 2: Configure IKE on the SOHO Router 


Use the following steps to configure IKE on the SOHO router. 


Exercise Procedure 


Complete these steps: 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Using the command list, enable IKE on the SOHO router. 


Using the command list, create an IKE policy with a priority of 100 using preshared 


keys as the method of authentication. 


Using the command list, configure a preshared key of cisco1234, using the first 
WAN Interface IP of the branch router as your peer address. 


Save the SOHO router configuration. 


Verify the SOHO router IKE policy. Your configuration output should look similar 


to the following: 


Protection suite of priority 100 


encryption algorithm: 
(56 bit keys). 


hash algorithm: 


authentication method: 


Diffie-Hellman group: 
lifetime: 
Default protection suite 


encryption algorithm: 
(56 bit keys). 


hash algorithm: 


authentication method: 


Signature 


Diffie-Hellman group: 
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DES - Data Encryption Standard 


Secure Hash Standard 
Pre-Shared Key 
#1 (768 bit) 


86400 seconds, no volume limit 


DES - Data Encryption Standard 


Secure Hash Standard 


Rivest-Shamir-Adleman 


#1 (768 bit) 
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Step 6 


lifetime: 86400 seconds, no volume limit 


Proceed to Task 3. 


Task 3: Plan and Configure IPSec on the Branch Router 


Use the following steps to involve planning and configuring IPSec on the branch router. 


Exercise Procedure 


Complete these steps: 


Step 1 


Step 2 


Step 3 


Note 


Step 4 


Step 5 


Step 6 


Step 7 


Step 8 
Step 9 
Step 10 


Step 11 


Plan the IPSec policies. 
Policy Branch SOHO 
Transform set esp-des esp-des 
Traffic type to be encrypted IP IP 
SA establishment ipsec-isakmp ipsec-isakmp 


You must configure an access list that will serve as the rule that specifies which 
traffic will be encrypted. For this lab, you must protect all traffic originating from 
the branch router LAN network going to the SOHO router LAN network. Configure 
an extended access list 120 that will define this traffic going between the branch 
router and SOHO router. 


Using the command list, configure an IPSec transform set call MYSET and specify 
that you will be using Encapsulating Security Payload (ESP) with Data Encryption 
Standard (DES). 


Up to three transform sets can be in a set. Sets are limited to one AH and up to two ESP 
transforms. 


Using the command list, configure an IPSec crypto map using a map name of 
MYMaAP and a sequence number 110. Configure this crypto map using the ipsec- 
isakmp command. 


Configure the crypto map MYMAP to match the access list 120. 


Configure the crypto map MYMAP to set the peer address to the SOHO router 
loopback 0 interface IP. 


Configure the crypto map MYMAP to also set the transform set MYSET upon the 
match condition. 


Apply crypto map MYMAP to the branch router serial interface. 
Exit the configuration. 
Use the show crypto ipsec sa command and verify your configuration settings. 


Proceed to Task 4. 
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Task 4: Plan and Configure IPSec on the SOHO Router 


Use the following steps to plan and configure IPSec on the SOHO router. 


Exercise Procedure 


Complete these steps: 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Step 7 
Step 8 
Step 9 


Step 10 


On the SOHO router you must configure an access list that will serve as the rule that 
specifies which traffic will be encrypted. For this lab, you must protect all traffic 
originating from the SOHO router LAN network going to the branch router LAN 
network. Configure an extended access list 120 that will define this traffic going 
between the SOHO and branch router. 


Using the command list, configure an IPSec transform set called MYSET and 
specify that you will be using ESP with DES. 


Using the command list, configure an IPSec crypto map using a map name of 
MYMAP and a sequence number 110. Configure this crypto map using the ipsec- 
isakmp command. 


Configure the crypto map MYMAP to match the access list 120. 


Configure the crypto map MYMATP to set the peer address as the branch serial 
interface IP. 


Configure the crypto map MYMAP to also set the transform set MYSET upon the 
match condition. 


Apply crypto map MYMAP to the SOHO router loopback0 interface. 
Exit the configuration and verify using the show run command. 
Use the show crypto ipsec sa command and verify your configuration settings. 


Proceed to Task 5. 


Task 5: Test and Verify the VPN operation 


Use the following steps to tests and verify for proper VPN operation. 


Exercise Procedure 


Complete these steps: 


Step 1 


Note 


Step 2 


Go to the branch router and disable synchronous logging on the console. 


Synchronous logging was configured from the preconfiguration file. Although this command 
adds to the ease of configuration by keeping unsolicited console messages from being 
interspersed with solicited EXEC output, it also buffers debug output until the completion of 
an EXEC process, such as a ping. You will be disabling this functionality so that you can 
observe the debug output in real time. 


Enable debugging to observe the ISAKMP and IPSec negotiation and security 
association creation. 
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Step 3 


Step 4 


Step 5 


Step 6 


Step 7 


Step 8 


Step 9 


Step 10 


Step 11 


Use the show crypto ipsec sa command and write the amount of packets that have 
been encrypted and decrypted. 


Packets encrypted Packets decrypted 


Use the command list to determine if there are any active IPSec connections. How 
many? 


From the branch router, ping the SOHO router Loopback 0 Interface IP and LAN 
interface IP address. 


Did you observe any debug information? 


From the branch router, do an extended ping using the branch router LAN interface 
IP address as the source, and use as the destination IP the SOHO router LAN 
interface IP address. 


Now verify the security associations using the show crypto ipsec sa and show 
crypto isakmp sa commands. 


Complete the following information from the show commands: 


Packets encrypted Packets decrypted 


Use the command list to determine if there are any active IPSec connections. How 
many? 


How many connections comprise an IPSec tunnel and why? 


Optional. If you want to observe the process again, clear the SAs using the clear 
crypto sa and the clear crypto isakmp commands. Then generate interesting traffic 
by doing additional extended pings between routers. 


Exercise Verification 


You completed this exercise when you attain these results: 
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m™ Ifyou successfully pinged the SOHO LAN IP address from the branch office router and 
vice versa. Also, you must verify that the security associations have been created and are 
protecting the traffic. 


On the branch router, verify that your configuration contains lines similar to the following: 


crypto isakmp enable ! Task 1 step 2 
crypto isakmp policy 100 ! Task 1 step 4 
authentication pre-share ! Task 1 step 4 


crypto isakmp key cisco1234 address 10.X.210.3 ! Task 1 step 5 


crypto ipsec transform-set MYSET esp-des ! Task 3 step 3 
crypto map MYMAP 110 ipsec-isakmp ! Task 3 step 4 
set peer 10.X.210.3 ! Task 3 step 6 

set transform-set MYSET ! Task 3 step 7 
match address 120 ! Task 3 step 5 
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interface Serial 0 

crypto map MYMAP ! Task 3 step 8 

! Task 3 step 2 

access-list 120 permit ip 10.X.10.0 0.0.0.255 10.X.100.0 0.0.0.255 


line console 0 


no logging synchronous ! Task 5 step 1 


On the SOHO router, verify that your configuration contains lines similar to the following: 


crypto isakmp enable ! Task 2 step 1 
crypto isakmp policy 100 ! Task 2 step 3 
authentication pre-share ! Task 2 step 3 
crypto isakmp key ciscol1234 address 10.X.160.2 ! Task 2 step 4 
crypto ipsec transform-set MYSET esp-des ! Task 4 step 2 
crypto map MYMAP 110 ipsec-isakmp ! Task 4 step 3 

set peer 10.X.160.2 ! Task 4 step 5 

set transform-set MYSET ! Task 4 step 6 
match address 120 ! Task 4 step 4 


interface LoopbackoO 


ip address 10.X.210.3 255.255.255.0 ! From preconfig 
interface Dialer 2 ! From preconfig 
ip unnumbered Loopback0O ! From preconfig 
crypto map MYMAP ! Task 4 step 8 


! Task 4 step 1 
access-list 120 permit ip 10.X.100.0 0.0.0.255 10.X.10.0 0.0.0.255 
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Lab Exercise Answer Key 
Lab Exercise 5-1: Configuring a Site-to-Site IPSec VPN Using Preshared Keys 


When you complete this lab exercise, your router configuration will be similar to the following, 
with differences that are specific to your pod. 


Branch Router End Configuration 
version 12.2 


service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 
hostname branch_3 
! 
enable secret 5 $1$toHVSquka4kAjmrkyAkXpxbrQp/ 
! 
memory-size iomem 25 
mmi polling-interval 60 
no mmi auto-configure 
no mmi pvc 
mmi snmp-timeout 180 
ip subnet-zero 
! 
! 
no ip domain-lookup 
! 
ip ssh time-out 120 
ip ssh authentication-retries 3 
! 
crypto isakmp policy 100 
authentication pre-share 
crypto isakmp key cisco1234 address 10.3.210.3 
! 
! 
crypto ipsec transform-set MYSET esp-des 
! 
crypto map MYMAP 110 ipsec-isakmp 
set peer 10.3.210.3 
set transform-set MYSET 
match address 120 
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! 

! 
interface BRIO 

no ip address 

shutdown 

no cdp enable 

! 

interface FastEtherneto 

description This is the Ethernet network for the Branch router 
ip address 10.3.10.2 255.255.255.0 
speed auto 

no cdp enable 

! 

interface Serial0o 


description This interface connects directly to Central via a 
serial line 


bandwidth 128 

ip address 10.3.160.2 255.255.255.0 
encapsulation ppp 

no cdp enable 

crypto map MYMAP 

! 
interface Seriall 

no ip address 

shutdown 

no cdp enable 

! 

ip classless 

ip route 0.0.0.0 0.0.0.0 10.3.160.1 
no ip http server 

ip pim bidir-enable 

! 

! 


access-list 120 permit ip 10.3.10.0 0.0.0.255 10.3.100.0 
0.0.0.255 
no cdp run 
! 

banner motd * 

Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 


branch branch branch branch branch branch branch branch 
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Notes from the instructor: 
All local passwords should be set to "cisco" 
branch branch branch branch branch branch branch branch 


Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 


A 
! 

line con 0 
exec-timeout 30 0 
history size 200 
line aux 0 

line vty 0 4 
exec-timeout 30 0 
password cisco 
logging synchronous 
login 


history size 200 


end 


Central Router End Configuration 
version 12.2 


service timestamps debug uptime 
service timestamps log uptime 

no service password-encryption 

! 

hostname central 3 

! 

enable secret 5 $15N.0.$iD2A0G1L9WY51P5xk8cO.U1 
! 

username soho_3 password 0 cisco 
ip subnet-zero 

! 

! 

no ip domain-lookup 

! 

! 

isdn switch-type primary-5ess 


call rsvp-sync 
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! 

! 
controller T1 1/0 

framing esf 

linecode b8zs 

pri-group timeslots 1-24 

! 

! 

! 
interface Ethernet0/0 
description This is the Ethernet network for the Central router 
ip address 10.3.0.1 255.255.255.0 
half-duplex 

no cdp enable 

! 

interface Ethernet0/1 

no ip address 

shutdown 

half-duplex 

no cdp enable 

! 

interface Seriall1/0:23 

no ip address 

encapsulation ppp 

dialer pool-member 2 

isdn switch-type primary-5ess 
no cdp enable 

ppp authentication chap 

! 

interface Serial3/0 


description This interface connects directly to Branch via a 
serial line 


bandwidth 128 

ip address 10.3.160.1 255.255.255.0 
encapsulation ppp 

clockrate 128000 


no cdp enable 
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! 

interface Serial3/1 

no ip address 

shutdown 

no cdp enable 

! 

interface Serial3/2 

no ip address 

shutdown 

no cdp enable 

! 
interface Serial3/3 

no ip address 

shutdown 

no cdp enable 

! 
interface Dialer2 
description This dialer goes from Central to soho 
ip address 10.3.210.1 255.255.255.0 
encapsulation ppp 

dialer pool 2 

dialer remote-name soho 3 
dialer string 5553300 
dialer-group 1 

no cdp enable 


ppp authentication chap 


ip classless 

ip route 10.3.10.0 255.255.255.0 10.3.160.2 
ip route 10.3.100.0 255.255.255.0 10.3.210.3 
no ip http server 

! 

dialer-list 1 protocol ip permit 

no cdp run 

! 

! 

dial-peer cor custom 

! 

! 
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! 

banner motd ~* 

Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 

central central central central central central central central 
Notes from the instructor: 

All local passwords should be set to "cisco" 

central central central central central central central central 


Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 


A 
! 

line con 0 

exec-timeout 30 0 

logging synchronous level all 
history size 200 

line 65 70 

flush-at-activation 
line aux 0 
line vty 0 4 

exec-timeout 30 0 

password cisco 

logging synchronous 

login 


history size 200 


end 


SOHO Router End Configuration 


version 12.2 

service timestamps debug uptime 

service timestamps log uptime 

no service password-encryption 

! 

hostname soho_3 

! 

enable secret 5 $1$aNN7Sa0cNnou/3pPLS5d5ZRy8b1 
! 

username central_3 password 0 cisco 


ip subnet-zero 
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no ip domain-lookup 
! 
isdn switch-type basic-5ess 
! 
crypto isakmp policy 100 
authentication pre-share 
crypto isakmp key ciscol1234 address 10.3.160.2 
! 
! 
crypto ipsec transform-set MYSET esp-des 
! 
crypto map MYMAP 110 ipsec-isakmp 
set peer 10.3.160.2 
set transform-set MYSET 
match address 120 
! 
! 
! 
! 
interface Loopback0O 
ip address 10.3.210.3 255.255.255.0 
crypto map MYMAP 
! 
interface Ethernet0 
description This is the Ethernet network for the soho router 
ip address 10.3.10.3 255.255.255.0 secondary 
ip address 10.3.100.3 255.255.255.0 
no cdp enable 
! 
interface BRIO 
no ip address 
encapsulation ppp 
dialer pool-member 2 
isdn switch-type basic-5ess 
no cdp enable 
ppp authentication chap 
! 
interface Dialer2 
description This dialer goes from soho to Central 


ip unnumbered LoopbackO 
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encapsulation ppp 
dialer pool 2 
dialer remote-name central_3 
dialer string 5553100 
dialer-group 1 
no cdp enable 
ppp authentication chap 
! 
ip classless 
ip route 0.0.0.0 0.0.0.0 10.3.210.1 
no ip http server 
! 


access-list 120 permit ip 10.3.100.0 0.0.0.255 10.3.10.0 
0.0.0.255 


dialer-list 1 protocol ip permit 
no cdp run 
banner motd * 

Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab12 


soho soho soho soho soho soho soho soho soho soho soho soho 


Notes from the instructor: 


All local passwords should be set to "cisco" 


soho soho soho soho soho soho soho soho soho soho soho soho 


Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 Lab5 


A 
! 
line con 0 
exec-timeout 30 0 
logging synchronous level all 
history size 200 
line vty 0 4 
exec-timeout 30 0 
password cisco 
logging synchronous 
login 
history size 200 
! 


end 
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Lab Exercise 6-1: Using ISDN and DDR to 
Enhance Remote Connectivity 


Complete the lab exercise to practice what you learned in the related module. 


Exercise Objective 
Upon completing this lab, you will be able to: 


Configure ISDN BRI, including the switch type 


Configure ISDN PRI, including the switch type, controller type, framing type, line coding, 
PRI group timeslots, and speed 


Configure PPP encapsulation, including authentication, bandwidth aggregation, and 
callback 


Configure PPP authentication using CHAP for security between sites 
Configure MLP to aggregate bandwidth 


Configure PPP callback to model situations where it is more economical for the site 
receiving the call to pay for it 


Identify the Q.921 and Q.931 signaling and call setup sequences, given an ISDN call 
connection 


Visual Objective 


The figure illustrates what you will accomplish in this exercise. 
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Command List 


The commands used in this exercise are described in the table here. 


Configuration Commands 


Command 

clocksource source 
debug dialer 

debug isdn q921 

debug isdn q931 
dialer callback-secure 


dialer callback-server 
username 


dialer-group group- 
number 


dialer hold-queue 
packets 


dialer idle-timeout 
sec 


dialer-list dialer- 
group protocol 
protocol -name {permit 


deny list access- 
list-number access- 
group} 


dialer load-threshold 
load 


dialer map ip next- 
hop-address name 
destination-router- 
name phone-number 
encapsulation ppp 


framing framing-type 


Description 

Specifies the PRI controller clock source 

Monitors dialer events 

Monitors Q921 negotiations 

Monitors Q931 negotiations 

Enables callback security 

Specifies that the callback server use the username when calling 
back to the client 

Assigns a dialer group to an interface 

Specifies the amount of packets that will be held in queue 
Specifies how long the line will remain active with no additional 
interesting traffic 


Specifies interesting traffic and associates it to a dialer group 


Specifies the load threshold to activate additional lines 


Specifies how to call a destination 


Enables the PPP protocol on the interface 


Specifies the PRI controller framing type on a line 


isdn switch-type 
basic-switch-type 


isdn switch-type 
primary-switch-type 


linecode type 


map-class dialer 
class-name 


ppp authentication 
chap 


ppp authentication 
chap callin 


ppp callback accept 


Specifies a BRI switch type 


Specifies a PRI switch type 


Specifies the PRI controller line code 


Specifies the dialer map class 


Sets CHAP as the PPP authentication method 


Sets CHAP as the PPP authentication method but specifies that 
the authentication only occur once and by the remote initiating 
peer 


Enables callback capability on the server interface 
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Command Description 


ppp callback request Enables callback capability on the client 


ppp multilink Enables multilink capability 


pri-group timeslots 1- Enables PRI on the interface and assigns the timeslots 


show dialer Displays general diagnostic information for interfaces configured 


for DDR 


show isdn status Displays the ISDN line status information 


Scenario 


Your company requires an ISDN connection between the central site and many branch sites. 
Therefore, the central router has an ISDN PRI interface installed. For branch sites, the router 
has an ISDN BRI interface installed. 


Configure both routers to place ISDN calls between the central site and a branch site. Configure 
Multilink PPP (MLP) to maximize the bandwidth. Finally, the central site has negotiated a 
better service agreement with the telco provider. It is more economical for the central site to 
incur the toll charge rather than the branch site. For this reason, configure PPP callback. 


Setup 


Gather the information shown in this table prior to starting this lab. 
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Pod Number 


Information Required 


Example (X is your 
pod number; all 
subnet masks are 


Write in the 
information for your 
pod 


255.255.255.0) 

Central router Your (first) LAN Ethernet 0/0 
interface type 

Central router Your (first) LAN 10.X.0.1 
interface IP 

Central router Your (first) ISDN T1 1/0 
controller 

Central router ISDN interface IP to 10.X.200.1 


branch 


Central router 


ISDN switch type 


primary-5ess 


Central router ISDN number 555X100 
Branch router Your (first) LAN FastEthernetO 
interface type 
Branch router Your (first) LAN 10.X.10.2 
interface IP 

Branch router Your (first) ISDN BriO 
interface type 

Branch router ISDN interface IP to 10.X.200.2 
central 

Branch router ISDN switch type basic-5ess 
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Pod Number Information Required | Example (X is your Write in the 
pod number; all information for your 
subnet masks are pod 
255.255.255.0) 

Branch router ISDN number 555X200 


Setup Tasks 


From your PC, establish a Telnet connection to the terminal server and open a console 
connection to the branch router of your pod. 


From your PC, establish a Telnet connection to the terminal server again and open a second 
console connection to the central router of your pod. 


You will now be able to configure and observe output on both routers simultaneously. 


TFTP the appropriate preconfiguration files to the central and branch routers and reload the 
routers. 


Task 1: Configuring the ISDN BRI on the Branch Office Router 


Use the following steps to configure the ISDN BRI on the branch office router. 


Exercise Procedure 
Complete these steps: 


Step 1 Using the command list, configure the branch router to use the ISDN switch type 
that is listed in the setup table. 


Step 2 Using the command list, configure a username central_X (where X is the number 
of your pod) and a password cisco for the connection to the central router. 


Step 3 Configure the BRI 0 interface for PPP encapsulation and CHAP authentication. 


Note Ignore the following message: AAA: Warning, authentication list "default" is not defined for 
PPP, because in this exercise you will be using local authentication only. 

Step 4 Assign the dialer list 1 to the BRI 0 interface. 

Step 5 Configure the BRI 0 for an idle timeout of 60 seconds. 

Step 6 Configure the BRI 0 for a hold queue of 5 packets. 


Step 7 Configure the BRI 0 with a dialer map, which configures the central router IP 
address with the central router hostname and ISDN number. 


Step 8 Configure the BRI 0 with an IP address that is listed in the setup table. 


Note Do not enter the no shut command, because you must identify the Q.921 signaling and call 
setup sequences. 


Step 9 Configure a dialer list 1 to allow all IP packets to trigger a call. 
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Step10 Configure a static default route with a next-hop IP address set to the central router. 


Step11 Verify and save your configuration. 


Step12 Examine ISDN status and enable Q.921 debugging. Use these commands to view 
the current status of your router ISDN interface and connections: 


show isdn status 
show interface bri 0 
debug isdn q921 


The output from these commands should be similar to these examples: 


Branch#show isdn status 
Global ISDN Switchtype = basic-5ess 
ISDN BRIO interface 


dsl 0, interface ISDN Switchtype = basic-5ess 


Layer 1 Status: 

DEACTIVATED 
Layer 2 Status: 

Layer 2 NOT Activated 
Layer 3 Status: 

0 Active Layer 3 Call(s) 
Active dsl 0 CCBs = 0 


The Free Channel Mask: 0x80000003 


Number of L2 Discards = 0, L2 Session ID = 0 


Total Allocated ISDN CCBs = 0 


Branch#show interface bri0 


BRIO is administratively down, line protocol is down 


Hardware is PQUICC BRI 
Internet address is 10.2.200.2/24 


MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, 


reliability 255/255, txload 1/255, rxload 1/255 


Encapsulation PPP, loopback not set 


< Output Omitted > 


Branch#debug isdn q921 
ISDN Q921 packets debugging is on 
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Step 13 Activate the BRI 0 interface and observe the output generated by the debug 
command. The output should be similar to the following: 


00:43:25: SLINK-3-UPDOWN: Interface BRIO:1, changed state to 
down 


00:43:25: SLINK-3-UPDOWN: Interface BRI0:2, changed state to 
down 


00:43:25: ISDN BRO: RX <- IDREM ri=0 ai=127 

00:43:25: SLINK-3-UPDOWN: Interface BRIO, changed state to up 
00:43:25: ISDN BRO: TX -> IDREQ ri=86 ai=127 

00:43:25: ISDN BRO: RX <- IDASSN ri=86 ai=64 

00:43:25: ISDN BRO: TX -> SABMEp c/r=0 sapi=0 tei=64 
00:43:25: ISDN BRO: RX <- UAf c/r=0 sapi=0 tei=64 


00:43:25: SISDN-6-LAYER2UP: Layer 2 for Interface BRO, TEI 64 
changed to up 


Note Q.921 debugging displays activity between the telco switch and the router every ten 
seconds. 


Step 14 Return to privileged EXEC mode and turn off the debugging. 


Step 15 Now that the BRI 0 interface has been activated, examine the output of the show 
isdn status and the show interface bri 0 commands. 


show isdn status 
Global ISDN Switchtype = basic-5ess 
ISDN BRIO interface 
dsl 0, interface ISDN Switchtype = basic-5ess 
Layer 1 Status: 
ACTIVE 
Layer 2 Status: 


TEI = 64, Ces = 1, SAPI = 0, State = 
MULTIPLE FRAME ESTABLISHED 


Layer 3 Status: 
0 Active Layer 3 Call(s) 
Active dsl 0 CCBs = 0 
The Free Channel Mask: 0x80000003 
Number of L2 Discards = 0, L2 Session ID = 3 
Total Allocated ISDN CCBs = 0 


show interface bri 0 

BRIO is up, line protocol is up (spoofing) 
Hardware is PQUICC BRI 
Internet address is 10.2.200.1/24 
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, 
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Step 16 


reliability 255/255, txload 1/255, rxload 1/255 


Encapsulation PPP, loopback not set 


< Output Omitted > 


Notice that the terminal endpoint identifier (TED) reported by the show isdn status 
command corresponds to the number seen in the Q.921 debugging. Also note the up- 
up (spoofing) state of the BRI interface. 


Proceed to Task 2. 


Task 2: Configuring ISDN PRI on Your Central Site Router 


Use the following steps to configure the ISDN PRI on your central site router. 


Exercise Procedure 


Complete these steps: 
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Step 1 


Step 2 


Step 3 
Step 4 


Step 5 


Note 


Step 6 


Using the command list, configure the central router to use the ISDN switch type 
that is listed in the setup table. 


Using the command list, configure a username branch_X (where X is the number of 
your pod) and a password cisco for the connection to the branch router. 


Configure the ISDN PRI controller with “Primary Rate ISDN controller.” 
Configure the T1 1/0 controller to use a linecode b8zs and framing type esf. 


Configure the T1 1/0 controller to extract the clock from the line. 


The T1 controller must also have a clock source identified as part of the basic link 
parameters. By default, the controller is configured to extract the clock from the line that is 
the default and will not appear in your final configuration. 


Enable PRI and assign timeslots on the T1 controller. When you complete the 
configuration, you will see the newly created subinterfaces that represent the 
enabled channels change states. The last line should show that the D channel, Serial 
1/0:23, is up. The output should look similar to: 


00:19:56: %ISDN-6-LAYER2UP: Layer 2 for Interface Se1/0:23, 
TEI 0 changed to up 


00:19:56: *LINEPROTO-5-UPDOWN: Line protocol on Interface 
Seriall1/0:0, changed state to down 


00:19:56: *LINEPROTO-5-UPDOWN: Line protocol on Interface 
Seriall/0:1, changed state to down 


00:19:56: *LINEPROTO-5-UPDOWN: Line protocol on Interface 
Seriall1/0:2, changed state to down 


00:19:56: *LINEPROTO-5-UPDOWN: Line protocol on Interface 
Serial1/0:3, changed state to down 


00:19:56: *LINEPROTO-5-UPDOWN: Line protocol on Interface 
Seriall1/0:4, changed state to down 
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Step 7 


Step 8 
Step 9 
Step 10 


Step 11 


Step 12 


Step 13 


Step 14 


Step 15 


Step 16 


00:19:56: *LINEPROTO-5-UPDOWN: Line protocol on Interface 
Serial1/0:5, changed state to down 


<Output omitted> 


00:20:00: %LINK-3-UPDOWN: Interface Serial1/0:23, changed 
state to up 


Configure the Serial1/0:23 interface for PPP encapsulation and CHAP 
authentication. 


Assign the dialer list 1 to the Serial1/0:23 interface. 
Configure Serial1/0:23 for an idle timeout of 60 seconds. 
Configure the Serial1/0:23 interface for a hold queue of 5 packets. 


Configure the Serial1/0:23 interface with a dialer map, which configures the branch 
router IP address with the branch router hostname and ISDN number. 


Configure the Serial1/0:23 interface with an IP address that is listed in the setup 
table. 


Configure a dialer list 1 to allow all IP packets to trigger a call. 


Configure a static route to the branch router stub network with a next-hop IP address 
set to the branch router. 


Verify and save your configuration. 


Examine ISDN status of your PRI interface with the show isdn status and show 
interface serial 1/0:23 commands. 


show isdn status 
Global ISDN Switchtype = primary-5ess 
ISDN Serial1/0:23 interface 
dsl 0, interface ISDN Switchtype = primary-ni 
Layer 1 Status: 
ACTIVE 
Layer 2 Status: 


Wwet SS 0), Gas S al, SyAeh = 0, Sicetes = 
MULTIPLE FRAME ESTABLISHED 


Layer 3 Status: 

0 Active Layer 3 Call(s) 
Activated dsl 0 CCBs = 0 
Total Allocated ISDN CCBs = 0 


show interface serial 1/0:23 
Serial/0:23 is up, line protocol is up (spoofing) 
Hardware is DSX1 


Internet address is 10.1.200.1/24 
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MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, 
load 1/255 


Encapsulation PPP, loopback not set 


< Output Omitted > 


Step 17 Proceed to Task 3. 


Task 3: Verifying the ISDN Connection 


In this task you will be using various show and debug commands to become familiar with 
ISDN operations. 


Exercise Procedure 


Complete these steps: 


Step 1 Enter the branch router and disable synchronous logging for the console port. 


Note Synchronous logging was configured from the preconfiguration file. Although this command 
adds to the ease of configuration by keeping unsolicited console messages from being 
interspersed with solicited EXEC output, it also buffers debug output until the completion of 
an EXEC process, such as a ping. You will be disabling this functionality so that you can 
observe the debug output in real time. 


Step 2 From the branch router, ping the central site router LAN interface. The output 
should be similar to: 


Type escape sequence to abort. 


Sending 5, 100-byte ICMP Echos to 10.X.0.1, timeout is 2 
seconds: 


Qrryy 


Success rate is 100 percent (5/5), round-trip min/avg/max = 
32/78/264 ms 


00:13:24: SLINK-3-UPDOWN: Interface BRI0:1, changed state to 
up 


00:13:25: *LINEPROTO-5-UPDOWN: Line protocol on Interface 
BRI0O:1, changed state to up 


00:13:30: *ISDN-6-CONNECT: Interface BRI0:1 is now connected 
to 5552100 central 2_ 


Note Your ISDN connection is now active and will remain active as long as interesting IP traffic 
travels over the link. Remember that if the link sits idle for longer than 60 seconds, the BRI 0 
interface will disconnect if set with the dialer idle-timeout 60 command. If you repeatedly 
issue the show dialer command, you can accurately estimate when the line will disconnect 
by noting the “Time until disconnect XX secs.” 
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Step 3 Enter show dialer. The output should be similar to: 


show dialer 


BRIO - dialer type = ISDN 


Dial String Successes Failures Last DNIS Last 
status 
555X100 1 0 00:00:21 


successful 
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Lab Exercise 7-1: Using Dialer Profiles to 
Enhance DDR 


Complete the lab exercise to practice what you learned in the related module. 


Exercise Objective 
Upon completing this lab, you will be able to: 
™ Configure a dialer interface on the central site and remote routers 


= Demonstrate that using dialer interfaces allows BRI interfaces to use both B channels 
independently 


Visual Objective 


The figure illustrates what you will accomplish in this exercise. 


70 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright © 2004, Cisco Systems, Inc. 


Command List 


The commands used in this exercise are described in the table here. 


Configuration Commands 


Command 


dialer-group group- 
number 


Description 


Assigns a dialer group to an interface 


dialer-list dialer- 
group protocol 
protocol -name {permit 
| deny | list access- 
list-number | access- 


group} 


Specifies interesting traffic and associates it to a dialer group 


dialer pool number 


Specifies that you use the interfaces in this pool to reach the 
destination 


dialer pool-member 
number 


Assigns an interface to a dialer pool 


dialer remote-name 
remote router name 


Specifies the name of the remote router 


dialer string phone- 
number 


Specifies the phone number used to reach the remote router 


encapsulation ppp 


Enables PPP protocol on the interface 


interface dialer 
number 


Creates a dialer interface 


ip route network 
network-mask next-hop 


Configures a static or default route 


ppp authentication 
chap 


Sets CHAP as the PPP authentication method 


username hostname 
password password 


Specifies a username and password for authentication 


Scenario 


Given a central site with an ISDN PRI interface, configure it to receive BRI calls over dialer 


interfaces. Test and verify operation of the BRI calls. 
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Gather the information shown in this table prior to starting this lab. 


Pod Number 


Information Required 


Example (X is your 
pod number; all 
subnet masks are 


Write in the 
information for your 
pod 


255.255.255.0) 
Central router Your (first) LAN Ethernet 0/0 
interface type 
Central router Your (first) LAN 10.X.0.1 
interface IP 
Central router Your (first) ISDN T1 1/0 


controller 


Central router 


ISDN switch type 


primary-5ess 


Central router ISDN number 555X100 

Central router Dialer 1 IP to branch 10.X.200.1 

Central router Dialer 2 IP to SOHO 10.X.210.1 

Branch router Your (first) LAN FastEthernet0O 
interface type 

EthernetO 

Branch router Your (first) LAN 10.X.10.2 
interface IP 

Branch router Your (first) ISDN BriO 
interface type 

Branch router ISDN switch type basic-5ess 

Branch router ISDN number 555X200 

Branch router Dialer 1 IP to central 10.X.200.2 

Branch router Dialer 3 IP to SOHO 10.X.220.2 

SOHO router Your (first) LAN Ethernet 0 
interface type 

SOHO router Your (first) LAN 10.X.0.3 
interface IP 

SOHO router Your (first) ISDN BriO 
interface type 

SOHO router ISDN number 555X300 

SOHO router Dialer 2 IP to central 10.X.210.3 

SOHO router Dialer 3 IP to branch 10.X.220.3 
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Setup Tasks 


From your PC, establish a Telnet session to the terminal server and open a console connection 
to the central router of your pod. 


From your PC, establish a Telnet session to the terminal server again and open a second 
console connection to the branch router of your pod. 


From your PC, establish a Telnet session to the terminal server again and open a third console 
connection to the SOHO router of your pod. 


You will now be able to configure and observe output on all routers simultaneously. 


TFTP the appropriate preconfiguration files to the central, branch, and SOHO routers and 
reload them. 


Task 1: Configuring the Central Site PRI to Use Dialer Profiles 


Use the following steps to configure the central site PRI to use dialer profiles. 


Exercise Procedure 
Complete these steps: 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 
Step 6 
Step 7 
Step 8 


Step 9 


Step 10 


Step 11 


Step 12 


Step 13 


Step 14 


On the central router, configure the ISDN switch type that is listed in the setup table. 


On the central router, create a dialer 1 interface. This dialer profile will connect the 
central router to the branch router. 


For the dialer 1 interface, create a description to assist in identifying the destination 
router for the interface. 


For the dialer | interface, assign an IP address and subnet mask. Use the IP address 
and subnet mask identified in the setup table. 


For the dialer 1 interface, assign dialer-list 1 to the dialer interface. 
For the dialer 1 interface, configure PPP encapsulation and CHAP authentication. 
For the dialer | interface, configure the remote router name. 


For the dialer 1 interface, configure it to belong to dialer pool 1. 


For the dialer | interface, configure the dial string for the branch router. Use the dial 


string that is listed in the setup table. 


On the central router, create a dialer 2 interface. This dialer profile will connect the 
central router to the SOHO router. 


For the dialer 2 interface, create a description to assist in identifying the destination 
router for the interface. 


For the dialer 2 interface, assign an IP address and subnet mask. Use the IP address 
and subnet mask identified in the setup table. 


For the dialer 2 interface, assign dialer-list 1 to the dialer interface. 


For the dialer 2 interface, configure PPP encapsulation and CHAP authentication. 
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Step 15 
Step 16 


Step 17 


Step 18 


Step 19 


Step 20 


Step 21 
Step 22 
Step 23 


Step 24 


For the dialer 2 interface, configure the remote router name. 
For the dialer 2 interface, configure it to belong to dialer pool 2. 


For the dialer 2 interface, configure the dial string for the SOHO router. Use the dial 
string that is listed in the setup table. 


Link the serial 1/0:23 interface of the central router to dialer pool 1 and 2. 


You will also need to configure PPP encapsulation and CHAP authentication on the 
ISDN interface. 


Create usernames and passwords for the CHAP authentication on your dialer 
profiles. 


Create the dialer list for your dialer profiles that will forward all IP traffic. 
Configure static routes to the stub networks at the branch and SOHO sites. 
Verify and save the router configuration. 


Proceed to Task 2. 


Task 2: Configuring the Branch BRI Interface to Use Dialer 


Profiles 


Use the following steps to configure the branch BRI interface to use dialer profiles. 


Exercise Procedure 


Complete these steps: 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Step 7 
Step 8 


Step 9 


Step 10 


On the branch router, configure the ISDN switch type that is listed in the setup table. 


On the branch, create a dialer 1 interface. This dialer profile will connect the branch 
to the central router. 


For the dialer 1 interface, create a description to assist in identifying the destination 
router for the interface. 


For the dialer | interface, assign an IP address and subnet mask. Use the IP address 
and subnet mask identified in the setup table. 


For the dialer | interface, assign dialer-list 1 to the dialer interface. 


For the dialer | interface, configure PPP encapsulation and CHAP authentication. As 
before, you are authenticating locally only, so disregard the AAA default list 
warning message. 


For the dialer | interface, configure the remote router name. 
For the dialer 1 interface, configure it to belong to dialer pool 1. 


For the dialer | interface, configure the dial string for the central router. Use the dial 
string that is listed in the setup table. 


On the branch router, create a dialer 3 interface. This dialer profile will connect to 
branch router to the SOHO router. 
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Step 11 


Step 12 


Step 13 


Step 14 


Step 15 
Step 16 


Step 17 


Step 18 


Step 19 


Step 20 


Step 21 


Step 22 


Step 23 


Step 24 


For the dialer 3 interface, create a description to assist in identifying the destination 
router for the interface. 


For the dialer 3 interface, assign an IP address and subnet mask. Use the IP address 
and subnet mask identified in the setup table. 


For the dialer 3 interface, assign dialer-list 1 to the dialer interface. 


For the dialer 3 interface, configure PPP encapsulation and CHAP authentication. 
As before, you are authenticating locally only, so disregard the AAA default list 
warning message. 


For the dialer 3 interface, configure the remote router name. 
For the dialer 3 interface, configure it to belong to dialer pool 3. 


For the dialer 3 interface, configure the dial string for the SOHO router. Use the dial 
string that is listed in the setup table. 


Link the branch router BRI 0 interface to Dialer pool 1 and 3. 


You will also need to configure PPP encapsulation and CHAP authentication on the 
ISDN interface. 


Create usernames and passwords for the CHAP authentication on your dialer 
profiles. 


Create the dialer list for your dialer profiles that will forward all IP traffic. 


Configure the static default route to the central site and a static route for the stub 
SOHO network. 


Verify and save the router configuration. 


Proceed to Task 3. 


Task 3: Configuring the SOHO BRI Interface to Use Dialer 


Profiles 


Use the following steps to configure the SOHO BRI interface to use dialer profiles. 


Exercise Procedure 
Complete these steps: 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


On the SOHO router, configure the ISDN switch type that is listed in the setup table. 


On the SOHO router, create a dialer 2 interface. This dialer profile will connect the 
SOHO to the central router. 


For the dialer 2 interface, create a description to assist in identifying the destination 
router for the interface. 


For the dialer 2 interface, assign an IP address and subnet mask. Use the IP address 
and subnet mask identified in the setup table. 


For the dialer 2 interface, assign dialer-list 1 to the dialer interface. 
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Step 6 


Step 7 
Step 8 


Step 9 


Step 10 


Step 11 


Step 12 


Step 13 
Step 14 
Step 15 
Step 16 


Step 17 


Step 18 


Step 19 


Step 20 


Step 21 


Step 22 


Step 23 


Step 24 


For the dialer 2 interface, configure PPP encapsulation and CHAP authentication. As 
before, you are authenticating locally only, so disregard the AAA default list 
warning message. 


For the dialer 2 interface, configure the remote router name. 
For the dialer 2 interface, configure it to belong to dialer pool 2. 


For the dialer 2 interface, configure the dial string for the central router. Use the dial 
string that is listed in the setup table. 


On the SOHO router, create a dialer 3 interface. This dialer profile will connect the 
SOHO router to the branch router. 


For the dialer 3 interface, create a description to assist in identifying the destination 
router for the interface. 


For the dialer 3 interface, assign an IP address and subnet mask. Use the IP address 
and subnet mask identified in the setup table. 


For the dialer 3 interface, assign dialer-list 1 to the dialer interface. 

For the dialer 3 interface, configure PPP encapsulation and CHAP authentication. 
For the dialer 3 interface, configure the remote router name. 

For the dialer 3 interface, configure it to belong to dialer pool 3. 


For the dialer 3 interface, configure the dial string for the branch router. Use the dial 
string that is listed in the setup table. 


Link the BriO interface of the branch router to dialer pool 2 and 3. 


You will also need to configure PPP encapsulation and CHAP authentication on the 
ISDN interface. 


Create usernames and passwords for the CHAP authentication on your dialer 
profiles. 


Create the dialer list for your dialer profiles that will forward all IP traffic. 


Configure the static default route to the central site and a static route for the branch 
stub network. 


Verify and save the router configuration. 


Proceed to Task 4. 


76 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright © 2004, Cisco Systems, Inc. 


Task 4: Testing the Dialer Profiles 


Use the following steps to test the dialer profiles you have configured. 


Exercise Procedure 


Complete these steps: 


Step 1 From the branch router, use the ping command to verify connectivity between the 
LAN interfaces of the branch router and the central router. 


Step 2 From the branch router, use the ping command to verify connectivity between the 
LAN interfaces of the branch router and the SOHO router. 


Step 3 From the SOHO router, use the ping command to verify connectivity between the 
LAN interfaces of the SOHO router and the central router. 


Step 4 From the central router, enter the show dialer command and examine the output. If 
the previous steps were executed less than two minutes before, the output should be 
similar to the following: 


< Output Omitted > 


Serial1/0:18 - dialer type = ISDN 
Idle timer (120 secs), Fast idle timer (20 secs) 


Wait for carrier (30 secs), Re-enable (15 secs) 


Dialer state is data link layer up 
Interface bound to profile Di2 


Time until disconnect 93 secs 


Connected to 555X300 (SOHO) 


Serial1/0:19 - dialer type = ISDN 
Idle timer (120 secs), Fast idle timer (20 secs) 


Wait for carrier (30 secs), Re-enable (15 secs) 


Dialer state is data link layer up 
Interface bound to profile Dil 


Time until disconnect 104 secs 


Connected to 555X200 (Branch) 
< Output Omitted > 
Serial1/0:23 - dialer type = ISDN 


Dial String Successes Failures Last DNIS Last 
status 
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0 incoming call(s) have been screened. 


0 incoming call(s) rejected for callback. 


Di1 - dialer type = DIALER PROFILE 


Idle timer (120 secs), Fast idle timer (20 secs) 
Wait for carrier (30 secs), Re-enable (15 secs) 
Dialer state is data link layer up 


Number of active calls = 1 


Dial String Successes Failures Last DNIS Last 
status 
555X200 2 0 00:14:55 


successful Default 


Di2 - dialer type = DIALER PROFILE 


Idle timer (120 secs), Fast idle timer (20 secs) 
Wait for carrier (30 secs), Re-enable (15 secs) 
Dialer state is data link layer up 


Number of active calls = 1 


Dial String Successes Failures Last DNIS Last 
status 
555X300 2 0 00:14:49 


successful Default 


Exercise Verification 


You have completed this exercise when you attain these results: 


m You are able to successfully ping between the branch, central, and SOHO sites. 


On the central router, verify that your configuration contains lines similar to the following: 


username soho_X password 0 cisco ! Task 1 Step 20 
username branch_X password 0 cisco ! Task 1 Step 20 
isdn switch-type primary-ni ! Task 1 Step 1 


interface Seriall1/0:23 


encapsulation ppp ! Task 1 Step 19 
dialer pool-member 1 ! Task 1 Step 18 
dialer pool-member 2 ! Task 1 Step 18 
ppp authentication chap ! Task 1 Step 19 
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interface dialer 1 ! Task 1 Step 2 


description This dialer goes from Central to Branch ! Task 1 Step 
3 
ip address 10.X.200.1 255.255.255.0 ! Task 1 Step 4 
dialer-group 1 ! Task 1 Step 5 
encapsulation ppp ! Task 1 Step 6 
ppp authentication chap ! Task 1 Step 6 
dialer remote-name branch_X ! Task 1 Step 7 
dialer string 555X200 ! Task 1 Step 9 
dialer pool 1 ! Task 1 Step 8 
interface dialer 2 ! Task 1 Step 10 
description This dialer goes from Central to SOHO ! Task 1 Step 
11 
ip address 10.X.210.1 255.255.255.0 ! Task 1 Step 12 
dialer-group 1 ! Task 1 Step 13 
encapsulation ppp ! Task 1 Step 14 
ppp authentication chap ! Task 1 Step 14 
dialer remote-name soho X ! Task 1 Step 15 
dialer string 555X300 ! Task 1 Step 17 
dialer pool 2 ! Task 1 Step 16 
ip route 10.X.10.0 255.255.255.0 10.X.200.2 ! Task 1 Step 22 
ip route 10.X.100.0 255.255.255.0 10.X.210.3 ! Task 1 Step 22 
dialer-list 1 protocol ip permit ! Task 1 Step 21 


On the branch router, verify that your configuration contains lines similar to the following: 


username soho_X password 0 cisco ! Task 2 Step 20 
username central_X password 0 cisco ! Task 2 Step 20 
isdn switch-type basic-net3 ! Task 2 Step 1 


interface BRIO 


encapsulation ppp ! Task 2 Step 19 
dialer pool-member 1 ! Task 2 Step 18 
dialer pool-member 3 ! Task 2 Step 18 
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ppp authentication chap ! Task 2 Step 19 


interface dialer 1 ! Task 2 Step 2 
description This dialer goes from Branch to Central ! Task 2 Step 
3 
ip address 10.X.200.2 255.255.255.0 ! Task 2 Step 4 
dialer-group 1 ! Task 2 Step 5 
encapsulation ppp ! Task 2 Step 6 
ppp authentication chap ! Task 2 Step 6 
dialer remote-name central_X ! Task 2 Step 7 
dialer string 555x100 ! Task 2 Step 9 
dialer pool 1 ! Task 2 Step 8 
interface dialer 3 ! Task 2 Step 10 
description This dialer goes from Branch to SOHO! Task 2 Step 11 
ip address 10.X.220.2 255.255.255.0 ! Task 2 Step 12 
dialer-group 1 ! Task 2 Step 13 
encapsulation ppp ! Task 2 Step 14 
ppp authentication chap ! Task 2 Step 14 
dialer remote-name soho X ! Task 2 Step 15 
dialer string 555x300 ! Task 2 Step 17 
dialer pool 3 ! Task 2 Step 16 
ip route 0.0.0.0 0.0.0.0 10.X.200.1 ! Task 2 Step 22 
ip route 10.X.100.0 255.255.255.0 10.X.220.3 ! Task 2 Step 22 
dialer-list 1 protocol ip permit ! Task 2 Step 21 


On the SOHO router, verify that your configuration contains lines similar to the following: 


username branch_X password 0 cisco ! Task 3 Step 20 
username central_X password 0 cisco ! Task 3 Step 20 
isdn switch-type basic-ni ! Task 3 Step 1 


interface BRIO 


encapsulation ppp ! Task 3 Step 19 
dialer pool-member 2 ! Task 3 Step 18 
dialer pool-member 3 ! Task 3 Step 18 
ppp authentication chap ! Task 3 Step 19 
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interface dialer 2 


description This dialer goes from SOHO to Central 


3 
ip address 10.X.210.3 255.255.255.0 
dialer-group 1 
encapsulation ppp 
ppp authentication chap 
dialer remote-name central_X 
dialer string 555X100 


dialer pool 2 


interface dialer 3 


Task 3 Step 2 


description This dialer goes from SOHO to Branch! 


ip address 10.X.220.3 255.255.255.0 
dialer-group 1 

encapsulation ppp 

ppp authentication chap 

dialer remote-name branch_X 

dialer string 555X200 


dialer pool 3 


dialer-list 1 protocol ip permit 


ip route 0.0.0.0 0.0.0.0 10.X.210.1 
ip route 10.X.10.0 255.255.255.0 10.X.220.2 
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Lab Exercise Answer Key 
Lab Exercise 7-1: Using Dialer Profiles to Enhance DDR 


When you complete this lab exercise, your router configuration will be similar to the following, 
with differences that are specific to your pod. 


Branch Router End Configuration 
version 12.2 


service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 
hostname branch_3 
! 
enable secret 5 $1$1g/L$1InA9RZbNpwk1BPWuP1/K1 
! 
username central_3 password 0 cisco 
username soho_3 password 0 cisco 
mmi polling-interval 60 
no mmi auto-configure 
no mmi pvc 
mmi snmp-timeout 180 
ip subnet-zero 
! 
! 
no ip domain-lookup 
! 
ip ssh time-out 120 
ip ssh authentication-retries 3 
isdn switch-type basic-5ess 
! 
! 
! 
! 
interface BRIO 
no ip address 
encapsulation ppp 
dialer pool-member 1 
dialer pool-member 3 
isdn switch-type basic-5ess 


no cdp enable 


82 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright © 2004, Cisco Systems, Inc. 


ppp authentication chap 

! 
interface FastEtherneto 

description This is the Ethernet network for the Branch router 
ip address 10.3.10.2 255.255.255.0 
speed auto 

no cdp enable 

! 
interface Serial0d 

no ip address 

shutdown 

no cdp enable 

! 
interface Seriall 

no ip address 

shutdown 

no cdp enable 

! 
interface Dialerl 

description This dialer goes from Branch to Central 
ip address 10.3.200.2 255.255.255.0 
encapsulation ppp 

dialer pool 1 

dialer remote-name central_3 

dialer string 5553100 

dialer-group 1 

no cdp enable 

ppp authentication chap 

! 

interface Dialer3 

description This dialer goes from Branch to SOHO 
ip address 10.3.220.2 255.255.255.0 
encapsulation ppp 

dialer pool 3 

dialer remote-name soho 3 

dialer string 5553300 

dialer-group 1 

no cdp enable 


ppp authentication chap 


Copyright © 2004, Cisco Systems, Inc. Lab Guide 


ip classless 
ip route 0.0.0.0 0.0.0.0 10.3.200.1 
ip route 10.3.100.0 255.255.255.0 10.3.220.3 
no ip http server 
ip pim bidir-enable 
! 
! 
dialer-list 1 protocol ip permit 


no cdp run 
! 

banner motd ~* 

Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 


branch branch branch branch branch branch branch branch 


Notes from the instructor: 


All local passwords should be set to "cisco" 


branch branch branch branch branch branch branch branch 


Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 


A 
! 

line con 0 

exec-timeout 30 0 

logging synchronous level all 
history size 200 

line aux 0 

line vty 0 4 

exec-timeout 30 0 

password cisco 

logging synchronous 

login 


history size 200 


end 
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Central Router End Configuration 
version 12.2 


service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 
hostname central 3 
! 
enable secret 5 $1$vPs9$vbj73XnJ1OmaqdVIyCTRi/ 
! 
username soho_3 password 0 cisco 
username branch_3 password 0 cisco 
ip subnet-zero 
! 
! 
no ip domain-lookup 
! 
! 
isdn switch-type primary-5ess 
call rsvp-sync 
! 
! 
! 
! 
! 
! 
controller T1 1/0 
framing esf 
linecode b8zs 
pri-group timeslots 1-24 
! 
! 
! 
interface Ethernet0/0 
description This is the Ethernet network for the Central router 
ip address 10.3.0.1 255.255.255.0 
half-duplex 
no cdp enable 
! 


interface Ethernet0/1 
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no ip address 
shutdown 
half-duplex 


no cdp enable 


interface Seriall1/0:23 


no ip address 


encapsulation ppp 


dialer pool-member 1 
dialer pool-member 2 


isdn switch-type primary-5ess 


no cdp enable 


ppp authentication chap 


! 

interface Serial3/0 
no ip address 
shutdown 
no cdp enable 

! 

interface Serial3/1 
no ip address 
shutdown 
no cdp enable 

! 

interface Serial3/2 
no ip address 
shutdown 
no cdp enable 

! 

interface Serial3/3 
no ip address 
shutdown 
no cdp enable 

! 


interface Dialerl 


description This dialer goes from Central to Branch 


ip address 10.3.200.1 255.255.255.0 


encapsulation ppp 


dialer pool 1 


dialer remote-name branch_3 
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dialer string 5553200 
dialer-group 1 
no cdp enable 
ppp authentication chap 
! 
interface Dialer2 
description This dialer goes from Central to SOHO 
ip address 10.3.210.1 255.255.255.0 
encapsulation ppp 
dialer pool 2 
dialer remote-name soho 3 
dialer string 5553300 
dialer-group 1 
no cdp enable 
ppp authentication chap 
! 
ip classless 
ip route 10.3.10.0 255.255.255.0 10.3.200.2 
ip route 10.3.100.0 255.255.255.0 10.3.210.3 
no ip http server 
! 
dialer-list 1 protocol ip permit 
no cdp run 
! 
! 
dial-peer cor custom 
! 
! 
! 
! 
banner motd * 
Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 
central central central central central central central central 
Notes from the instructor: 
All local passwords should be set to "cisco" 
central central central central central central central central 


Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 


A 
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! 

line con 0 
exec-timeout 30 0 
logging synchronous level all 

history size 200 
line 65 70 
flush-at-activation 
line aux 0 

line vty 0 4 
exec-timeout 30 0 
password cisco 
logging synchronous 
login 


history size 200 


end 


SOHO Router End Configuration 
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version 12.2 
service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 
hostname soho_3 
! 
enable secret 5 $1$aNN7Sa0cNnou/3pPLS5d5ZRy8b1 
! 
username central_3 password 0 cisco 
username branch_3 password 0 cisco 
ip subnet-zero 
no ip domain-lookup 
! 
isdn switch-type basic-5ess 
! 
! 
! 
! 
interface Ethernet0O 


description This is the Ethernet network for the soho router 
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ip address 10.3.100.3 255.255.255.0 
no cdp enable 
! 
interface BRIO 
no ip address 
encapsulation ppp 
dialer pool-member 2 
dialer pool-member 3 
isdn switch-type basic-5ess 
no cdp enable 
ppp authentication chap 
! 
interface Dialer2 
description This dialer goes from SOHO to Central 
ip address 10.3.210.3 255.255.255.0 
encapsulation ppp 
dialer pool 2 
dialer remote-name central_3 
dialer string 5553100 
dialer-group 1 
no cdp enable 
ppp authentication chap 
! 
interface Dialer3 
description This dialer goes from SOHO to Branch 
ip address 10.3.220.3 255.255.255.0 
encapsulation ppp 
dialer pool 3 
dialer remote-name branch_3 
dialer string 5553200 
dialer-group 1 
no cdp enable 


ppp authentication chap 


ip classless 

ip route 0.0.0.0 0.0.0.0 10.3.210.1 

ip route 10.3.10.0 255.255.255.0 10.3.220.2 
no ip http server 

! 


dialer-list 1 protocol ip permit 
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no cdp run 
banner motd * 

Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 
soho soho soho soho soho soho 
Notes from the instructor: 
All local passwords should be 


soho soho soho soho soho soho 


Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 


A 
! 

line con 0 

exec-timeout 30 0 

logging synchronous level all 
history size 200 
line vty 0 4 

exec-timeout 30 0 

password cisco 

logging synchronous 

login 


history size 200 


end 
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Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 


soho soho soho soho soho soho 


set to "cisco" 


soho soho soho soho soho soho 


Lab7 Lab7 Lab7 Lab7 Lab7 Lab7 
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Lab Exercise 8-1: Establishing a Dedicated 
Frame Relay Connection and Controlling Traffic 
Flow 


Complete this lab exercise to practice what you learned in the related module. 


Exercise Objective 
Upon completing this lab, you will be able to: 
™ Configure a Frame Relay interface and subinterface 
= Configure FRTS 


m Verify Frame Relay operation 


Visual Objective 


The figure illustrates what you will accomplish in this exercise. 


Legend 
Frame Relay ~~Z 


LAN 
Connection 
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Command List 


The commands used in this exercise are described in the table here. 


Configuration Commands 


Command 


encapsulation frame- 
relay 


Description 


Enables Frame Relay encapsulation 


frame-relay adaptive- 
shaping becn 


The map class subcommand used to specify that traffic should 
be throttled based on BECN messages 


frame-relay class map- 
class-name 


Associates a map class with an interface or subinterface 


frame-relay cir 
traffic-rate 


Changes the default Frame Relay traffic rate of 56 kbps 


frame-relay interface- 
dlci dlci-number 


Assigns a data-link connection identifier (DLCI) to a specified 
Frame Relay subinterface on the router or access server 


frame-relay traffic- 
rate cir eir (peak 
rate) 


Specifies the traffic rates to be enforced by Frame Relay traffic 
shaping (FRTS) 


frame-relay traffic- 
shaping 


Enables Frame Relay traffic shaping on virtual circuits (VCs) on 
an interface 


interface serial 
number. subinterface- 
number {multipoint | 
point-to-point} 


Enters subinterface configuration mode. Multipoint or point-to- 
point must be specified 


load-interval 


Changes the default time period for load calculations on an 
interface 


map-class frame-relay 
map-class-name 


Specifies a map class to define a quality of service such as 
Frame Relay traffic shaping for a switched virtual circuit (SVC) 


show frame-relay map 


Displays the current Frame Relay map entries and information 
about the connections 


show frame-relay pvc 


Displays the status and statistics for a Frame Relay permanent 
virtual circuit (PVC) on a per-interface and DLCI basis 


show traffic-shape 
statistics 


Displays which subinterfaces are active for traffic shaping and 
how much traffic has been shaped 


Scenario 


Given a central site with a Frame Relay network connection to its branch office, configure 
Frame Relay on the central site and branch office routers. Also, configure subinterfaces on the 
central site router to accommodate one VC connection to the branch using the Frame Relay 
network. Often, the physical lines at the central site are larger and may accommodate more 
bandwidth than at the branch office. For this reason, enable FRTS to control traffic flow from 
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the central site. 


Building Cisco Remote Access Networks (BCRAN) v2.1 


Copyright © 2004, Cisco Systems, Inc. 


Setup 


Setup Tasks 


Gather the information shown in this table prior to starting this lab. 


Pod Number 


Information Required 


Example (X is your 
pod number; all 
subnet masks are 


Write in the 
information for your 
pod 


255.255.255.0) 
Central router Your (first) LAN Ethernet 0/0 
interface type 
Central router Your (first) LAN 10.X.0.1 
interface IP 
Central router Your (second) WAN Serial 0/1 
interface type 
Serial 3/1 
Central router Your (second) WAN 10.X.150.1 
interface IP address 
Central router Frame Relay DLCI X12 
Cisco Secure AAA IP address 10.X.0.200 
server 
Branch router Your (first) LAN FastEthernetO 
interface type 
EthernetO 
Branch router Your (first) LAN 10.X.10.2 
interface IP 
Branch router Your (second) WAN Serial 1 
interface type 
Branch router Your (second) WAN 10.X.150.2 
interface IP address 
Branch router Frame Relay DLCI X21 
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From your PC, establish a Telnet session to the terminal server and open a console connection 
to the branch router of your pod. 


From your PC, establish a Telnet session to the terminal server again and open a second 
console connection to the central router of your pod. 


You will now be able to configure and observe output on both routers simultaneously. 


TFTP the appropriate preconfiguration files to the central and branch routers and reload the 
routers. 


Lab Guide 
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Task 1: Configuring Frame Relay Subinterfaces on the Central 
Site Router 


Assume that the central site needs to connect to multiple branch offices, but the central site has 
only a single link to your ISP. You have determined that Frame Relay is the option that best 
suits the organizational needs, but that it is not cost-effective to have a separate link into the 
ISP cloud for each branch office. You must configure your single link to support multiple VC 
connections to the other branch offices. In this section, you will configure a point-to-point 
subinterface to connect to one of the branch office routers. 


Exercise Procedure 


Complete these steps: 
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Step 1 


Step 2 


Note 


Step 3 


Step 4 


Step 5 


Note 


Step 6 


Step 7 


Step 8 


On the central site router, using the command list, enable the second WAN interface 
of your central site router for Frame Relay. 


Change the default load calculation interval from five minutes to 30 seconds. 


IP addresses are configured on the subinterfaces; no IP address is specified on the physical 
interface. 


Using the command list, on the central site router, create a subinterface with a “0.1” 
for point-to-point operation and with a description “This interface goes to the branch 
office.” 


Configure the subinterface with the Frame Relay IP address that is listed in the setup 
table. 


Using the command list, configure the Frame Relay subinterface with a bandwidth 
of 9 kbps. 


This setting is only used for the routing protocol to correctly calculate the metric to the 
branch site. The default metric for serial interfaces on Cisco routers is 1.544 Mbps. 


Using the command list, assign the Frame Relay subinterface with the Frame Relay 
DLCI going to the branch router. 


Save your configuration on the central site router. 


Verify that the status of the main Frame Relay serial interface and the line protocol, 
Frame Relay, are both up. Output should be similar to the following: 


Serial3/1 is up, line protocol is up 
Hardware is CD2430 in sync mode 
MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, 
reliability 255/255, txload 1/255, rxload 1/255 
Encapsulation FRAME-RELAY, loopback not set 
Keepalive set (10 sec) 


LMI eng sent 22, LMI stat recvd 23, LMI upd recvd 0, DTE 
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LMI up 
LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0 
LMI DLCI 1023 LMI type is CISCO frame relay DTE 


<output omitted> 


Step 9 What is the current status of the Frame Relay PVC and why? 


The output on your central site router should be similar to the following: 


Pvc Statistics for interface SerialX/1 (Frame Relay DTE) 


Active Inactive Deleted Static 
Local 0 1 0 0 
Switched 0 0 0 0 
Unused 0 0 0 0 


DLCI = XXX, DLCI USAGE = LOCAL, PVC STATUS = INACTIVE, 
INTERFACE = SerialX/1.1 

input pkts 0 output pkts 0 in bytes 0 

out bytes 0 dropped pkts 0 in FECN 
pkts 0 

in BECN pkts 0 out FECN pkts 0 out BECN 
pkts 0 

in DE pkts 0 out DE pkts 0 

out bcast pkts 0 out bcast bytes 0 


pve create time 00:04:27, 
last time pvc status changed 


Caution If the PVC status is deleted, do not proceed with this lab. This means the Frame Relay 
switch does not know about the DLCI number that you entered on the router. 


Step10 Proceed to Task 2. 
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Task 2: Configuring a Frame Relay Subinterface on the Branch 


Office Router 


In this section you will configure a point-to-point subinterface on the branch router to connect 
to the central office router. 


Exercise Procedure 


Complete these steps: 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Step 7 


Step 8 


On the branch office router, using the command list, enable the second WAN 
interface of your branch site router for Frame Relay. 


Change the default load calculation interval from five minutes to 30 seconds. 


Using the command list, on the branch router, create a subinterface “0.1” for point- 
to-point operation and with a description “This interface goes to central office.” 


Configure the serial “0.1” subinterface with the Frame Relay IP address that is listed 
in the setup table. 


Using the command list, configure the serial 1.1 subinterface with a bandwidth of 9 
kbps. 


Using the command list, assign the serial “0.1” subinterface with the Frame Relay 
DLCI going to the central router. 


Save your configuration at the branch router. 


Verify that the status of the main Frame Relay serial interface and the line protocol, 
Frame Relay, are both up. Output should be similar to the following: 


Seriall is up, line protocol is up 
Hardware is PowerQUICC Serial 
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, 
reliability 255/255, txload 1/255, rxload 1/255 
Encapsulation FRAME-RELAY, loopback not set 
Keepalive set (10 sec) 


LMI eng sent 25, LMI stat recvd 26, LMI upd recvd 0, DTE 
LMI up 


LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0 
LMI DLCI 1023 LMI type is CISCO frame relay DTE 


show frame-relay pvc 
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Step 9 What is the current status of the Frame Relay PVC and why? 


The output on your branch site router should be similar to the following: 


Pvc Statistics for interface SerialO (Frame Relay DTE) 


Active Inactive Deleted Static 
Local 1 0 0 ) 
Switched 0 0 0 0 
Unused 0 0 0 0 


DLCI = X21, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE 


= Seriall.1 

input pkts 69 output pkts 57 in bytes 
6065 

out bytes 4203 dropped pkts 0 in FECN 
pkts 0 

in BECN pkts 0 out FECN pkts 0 out BECN 
pkts 0 

in DE pkts 0 out DE pkts 0 

out beast pkts 53 out bcast bytes 3971 


pvc create time 00:04:43, last time pvc status changed 
00:04:33 


Step 10 Proceed to Task 3. 


Task 3: Verifying Frame Relay Operation 


Use the following steps to verify for proper Frame Relay operation. 


Exercise Procedure 


Complete these steps: 


Step 1 At both router, use the show ip route command to verify an EIGRP route to the 
LAN network of the remote site. 


Step 2 View the dynamically generated route maps that your router can use to route traffic 
with the show frame-relay map command. Verify that the map to the branch office 
routers LAN interface network is in the map table. 


Step 3 To verify connectivity with your peer, ping to the LAN interface of the remote 
router. 


Step 4 Proceed to Task 4. 
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Task 4: Enabling Adaptive Traffic Shaping Using BECN 


Use the following steps to enable adaptive traffic shaping by using BECN. 


Exercise Procedure 


Complete these steps: 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


On the central site router, using the command list, create a Frame Relay map named 
TSLAB. 


Using the command list, define backward explicit congestion notification (BECN) 
support as the traffic-shaping method for the TSLAB map class. 


Using the command list, enable traffic shaping on the main Frame Relay serial 
interface of the central router. 


Using the command list, configure the main Frame Relay serial interface of the 
central router to use the Frame Relay map TSLAB. 


Verify that traffic shaping is enabled and adapts to BECN by showing the PVC 
status information. Your output should be similar to the following: 


PVC Statistics for interface SerialX/1 (Frame Relay DTE) 


Active Inactive Deleted Static 
Local al 0 0 0 
Switched 0 0 0 0 
Unused 0 0 0 0 


DLCI = XXX, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE 
= SerialX/1.1 


input pkts 352 output pkts 365 in bytes 
28008 

out bytes 30060 dropped pkts 0 in FECN 
pkts 0 

in BECN pkts 0 out FECN pkts 0 out BECN 
pkts 0 

in DE pkts 0 out DE pkts 0 

out bcast pkts 356 out beast bytes 29252 


Shaping adapts to BECN 


pve create time 00:30:54, last time pvc status changed 
00:25:14 
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Step 6 Use the show frame-relay pve DECI# command to again verify that traffic shaping 
is enabled, and that it adapts to BECN. Notice that the Frame Relay interface 
defaults to a committed information rate (CIR) of 56 kbps. Your output should look 
similar to the following: 


PVC Statistics for interface SerialX/1 (Frame Relay DTE) 


DLCI = XXX, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE 
= SerialX/1.1 


input pkts 172 output pkts 185 in bytes 
13563 

out bytes 15537 dropped pkts 0 in FECN 
pkts 0 

in BECN pkts 0 out FECN pkts 0 out BECN 
pkts 0 

in DE pkts 0 out DE pkts 0 

out bcast pkts 176 out beast bytes 14729 


Shaping adapts to BECN 


pve create time 00:18:04, last time pvc status changed 


00:12:24 
cir 56000 be 7000 be 0 limit 875 
interval 125 
mincir 28000 byte increment 875 Adaptive Shaping BECN 
pkts 57 bytes 4572 pkts delayed 0 bytes 
delayed 0 


shaping inactive 
traffic shaping drops 0 


SerialX/1.1 dlci XXX is first come first serve default 
queuing 


Output queue 0/40, 0 drop, 0 dequeued 


Note The frame-relay class command has been applied to the main interface. This causes each 
subinterface to inherit the properties of the main interface. The default CIR for traffic shaping 
is 56 kbps. This can cause serious disruption of services to a high-speed serial interface 
because each subinterface will be limited to 56 kbps of outbound traffic. 


Step 7 Proceed to Task 5. 
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Task 5: Modifying Frame Relay Traffic Shaping 


In the previous task, you enabled adaptive traffic shaping for all flows from the central site. 
You will now enable per-DLCI traffic shaping which can be applied to individual sub- 
interfaces. You will first have to demonstrate that traffic peaks at speeds higher than 9600 bps 
between the central site and the branch site. To implement FRTS, you will lower the CIR at the 
central-site router, forcing the router to shape the traffic to avoid bursting beyond the Internet 
service provider (ISP) guaranteed rates and dropping frames. 


Exercise Procedure 


Complete these steps: 


Step 1 


Verify that the load at the Frame Relay interface of the branch site router is 
calculated every 30 seconds with the show interface command. Output should be 
similar to the following: 


SerialO is up, line protocol is up 
< Output omitted > 
30 second input rate 0 bits/sec, 0 packets/sec 


30 second output rate 0 bits/sec, 0 packets/sec 


< Output omitted > 


As the interface forwards or receives data, the traffic rate will be displayed. 


100 


Step 2 


Note 


Step 3 


To test the traffic rate between sites, use the extended ping command from the 
central router. Ping the Ethernet interface of the branch router 100 times with 1500- 
byte datagrams. 


This will cause the central router to send large amounts of Internet Control Message 
Protocol (ICMP) traffic to the branch site. 


While traffic is being generated from the central router, switch back to the branch 
router and verify that the serial interface is receiving traffic above 9600 bps with the 
show interface command. You may need to repeat this command several times. 
Output should be similar to the following: 


< Output omitted > 
30 second input rate 13000 bits/sec, 2 packets/sec 


30 second output rate 13000 bits/sec, 2 packets/sec 


< Output omitted > 
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Step 4 


Step 5 


Note 


Step 6 


Step 7 


Step 8 


Step 9 


Now that you have verified that the traffic rate is not limited to 9600 bps, you are 
now ready to enable traffic shaping on the central site. 


At the central site router, modify the map class TSLAB by changing the committed 
information rate from the default of 56,000 bps to 9600 bps. 


Now define the FRTS CIR and peak rates that will be used to enforce traffic 
shaping. For the purposes of this lab, the CIR and the peak rate will be the same. 
You will shape the traffic flows from the central site to 9600 bps. 


The throttling back of traffic is now based on the Frame Relay traffic-rate command. 
Execute an extended ping to the LAN interface of the branch router 100 times with 
1500-byte datagrams. 


While traffic is still being sent from the central router, switch back to the branch 
router. Use the show interface command repeatedly and verify that traffic is flowing 
at a rate no higher than 9600 bps. Output should be similar to the following: 


< Output omitted > 


30 second input rate 9000 bits/sec, 2 packets/sec 
30 second output rate 9000 bits/sec, 2 packets/sec 


< Output omitted > 


The input traffic rate should also not exceed 9000 bps. 


On the central router, use the show traffic-shape statistics command to see if 
shaping is active and how many packets have been delayed per subinterface. 


Access Queue Packets Bytes Packets Bytes 
Shaping 

I/F List Depth Delayed 
Delayed Active 

Se X/1.1 0 4608 2101252 1331 1592164 no 


Use the show frame-relay pve DLCI# command to verify that traffic shaping is 
enabled but not active. Your output should look like similar to the following: 


PVC Statistics for interface SerialX/1 (Frame Relay DTE) 


DLCI = XXX, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE 
= SerialX/1.1 
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input pkts 355 output pkts 375 in bytes 


170746 

out bytes 173114 dropped pkts 0 in FECN 
pkts 0 

in BECN pkts 0 out FECN pkts 0 out BECN 
pkts 0 

in DE pkts 0 out DE pkts 0 

out beast pkts 271 out beast bytes 22426 


Shaping adapts to BECN 


pve create time 00:24:08, last time pvc status changed 


00:19:18 
cir 9600 be 9600 be 0 limit 150 

interval 125 
mincir 4800 byte increment 150 Adaptive Shaping BECN 
pkts 312 bytes 167433 pkts delayed 130 bytes 


delayed 151342 
shaping inactive 
traffic shaping drops 0 


SerialX/1.1 dlci XXX is first come first serve default 
queuing 


Output queue 0/40, 0 drop, 130 dequeued 


Exercise Verification 


You have completed this exercise when you attain these results: 


m You successfully pinged the LAN interfaces of the central site router from the branch office 
router and vice versa, and enabled traffic shaping on the central site router to the lower 
speed branch office router. 


On the central router, verify that your configuration contains added lines similar to the 
following: 


interface Serialx/1 


encapsulation frame-relay ! Task 1 step 1 
load-interval 30 ! Task 1 step 2 
frame-relay class TSLAB ! Task 4 step 4 
frame-relay traffic-shaping ! Task 4 step 3 
interface SerialX/1.1 point-to-point ! Task 1 step 3 
description This interface goes to branch office ! Task 1 step 3 
bandwidth 9 ! Task 1 step 5 
ip address 10.X.150.1 255.255.255.0 ! Task 1 step 4 
frame-relay interface-dlci X12 ! Task 1 step 6 
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map-class frame-relay TSLAB ! Task 4 step 1 


frame-relay adaptive-shaping becn ! Task 4 step 2 
frame-relay cir 9600 ! Task 5 step 4 
frame-relay traffic-rate 9600 9600 ! Task 5 step 5 


On the Branch router verify that your configuration contains lines similar to the following: 


interface Seriall 


encapsulation frame-relay ! Task 2 step 1 
load-interval 30 ! Task 2 step 2 
interface Seriall.1 point-to-point ! Task 2 step 3 
description This interface goes to central office! Task 2 step 3 
bandwidth 9 ! Task 2 step 5 
ip address 10.X.150.2 255.255.255.0 ! Task 2 step 4 
frame-relay interface-dlci X21 ! Task 2 step 6 
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Lab Exercise Answer Key 


Lab Exercise 8-1: Establishing a Dedicated Frame Relay Connection and Controlling 


Traffic Flow 


When you complete this lab exercise, your router configuration will be similar to the following, 
with differences that are specific to your pod. 


Branch Router End Configuration 
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version 12.2 
service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 
hostname branch_3 
! 
enable secret 5 $1SVNoh$D/VR81iICXdHBV1£zCxxX.. 
! 
mmi polling-interval 60 
no mmi auto-configure 
no mmi pvc 
mmi snmp-timeout 180 
ip subnet-zero 
! 
! 
no ip domain-lookup 
! 
ip ssh time-out 120 
ip ssh authentication-retries 3 
! 
! 
! 
! 
interface BRIO 
no ip address 
shutdown 
no cdp enable 
! 
interface FastEtherneto 


description This is the Ethernet network for the Branch 
router 


ip address 10.3.10.2 255.255.255.0 
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speed auto 
no cdp enable 

! 
interface Serialod 

no ip address 

shutdown 

no cdp enable 

! 
interface Seriall 

no ip address 

encapsulation frame-relay 
load-interval 30 

! 

interface Seriall.1 point-to-point 
description This interface goes to central office 
bandwidth 9 

ip address 10.3.150.2 255.255.255.0 

no cdp enable 

frame-relay interface-dlci 321 

! 

router eigrp 100 

passive-interface FastEthernet0 
network 10.0.0.0 

no auto-summary 

no eigrp log-neighbor-changes 

! 

ip classless 

no ip http server 

ip pim bidir-enable 

! 
! 
no cdp run 
! 
banner motd * 
Labs Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 


branch branch branch branch branch branch branch branch 
Notes from the instructor: 


All local passwords should be set to "cisco" 
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branch branch branch branch branch branch branch branch 


Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 


A 
! 
line con 0 
exec-timeout 30 0 
logging synchronous level all 
history size 200 
line aux 0 
line vty 0 4 
exec-timeout 30 0 
password cisco 
logging synchronous 
login 
history size 200 
! 


end 


Central Router End Configuration 
version 12.2 


service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 

hostname central_3 

! 

enable secret 5 $1$0rD1l$w/fzkyt£Vaq0jS.G6E.6e/ 
! 

ip subnet-zero 

! 

! 

no ip domain-lookup 

! 

! 

call rsvp-sync 

! 

! 
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controller T1 1/0 
framing sf 
linecode ami 
! 

! 

! 


interface Ethernet0/0 


description This is the Ethernet network for the Central router 


ip address 10.3.0.1 255.255.255.0 
half-duplex 

no cdp enable 

! 
interface Ethernet0/1 

no ip address 

shutdown 

half-duplex 

no cdp enable 

! 
interface Serial3/0 

no ip address 

shutdown 

no cdp enable 

! 
interface Serial3/1 

no ip address 

encapsulation frame-relay 
load-interval 30 

no fair-queue 

frame-relay class TSLAB 
frame-relay traffic-shaping 

! 

interface Serial3/1.1 point-to-point 
description This interface goes to branch office 
bandwidth 9 

ip address 10.3.150.1 255.255.255.0 
no cdp enable 

frame-relay interface-dlci 312 

! 

interface Serial3/2 


no ip address 
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shutdown 
no cdp enable 
! 
interface Serial3/3 
no ip address 
shutdown 
no cdp enable 
! 
router eigrp 100 
passive-interface Ethernet0/0 
network 10.0.0.0 
no auto-summary 
! 
ip classless 
no ip http server 
! 
! 
map-class frame-relay TSLAB 
frame-relay cir 9600 
frame-relay traffic-rate 9600 9600 
frame-relay adaptive-shaping becn 
no cdp run 
! 
! 
dial-peer cor custom 
! 
! 
! 
! 
banner motd * 
Labs Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 
central central central central central central central central 
Notes from the instructor: 
All local passwords should be set to "cisco" 
central central central central central central central central 


Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 Lab8 


A 
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line con 0 
exec-timeout 30 0 
logging synchronous level all 
history size 200 

line 65 70 
flush-at-activation 

line aux 0 

line vty 0 4 
exec-timeout 30 0 
password cisco 
logging synchronous 
login 


history size 200 


end 
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Lab Exercise 9-1: Enabling a Backup to a Primary 
Connection 


Complete this lab exercise to practice what you learned in the related module. 


Exercise Objective 
Upon completing this lab, you will be able to: 
™ Configure a dial backup connection for your primary connection 


m Enable the backup connection when the primary connection fails 


Visual Objective 


The figure illustrates what you will accomplish in this exercise. 


Frame Relay and 
ISON Services 


Legend 


ISDN PRI 
Frame Relay — 


ISDN BRI eg: JESS, 


LAN 
Connection 
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Command List 


The commands used in this exercise are described in the table here. 


Configuration Commands 


Command Description 

backup delay {enable- Defines how much time should elapse before a secondary line 
delay | never} status changes and after a primary line status changes 
{disable-delay | 

never } 

backup interface Sets an interface as a secondary or dial backup interface 
interface-type number 

debug backup Shows the backup process in real-time 

dialer-list dialer- Specifies interesting traffic and associates it to a dialer group 


group protocol 

protocol -name {permit 
| deny | list access- 
list-number | access- 


group} 
(no) logging console Enables and disables the logging of messages to the console 
show backup Shows the backup status 

Scenario 


Critical information is required to travel across the Frame Relay connection between the central 
site and remote branch office. Currently, you have connectivity from the branch router to the 
central office via an ISDN provider and a Frame Relay provider. You would like to use the 
ISDN provider only when the Frame Relay link is down. For this reason, you must configure 
the ISDN connection to back up the primary Frame Relay connection in the event the primary 
connection fails. The EIGRP routing protocol has been enabled on all links between the central 
and branch routers. 
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Setup 


Gather the information in this table prior to starting this lab. 


Pod Number 


Information Required 


Example (where X is 
your pod number). All 
subnet masks are 


Write in the 
information for your 
pod 


255.255.255.0 
Central router Your (first) LAN Ethernet 0/0 
interface type 
Central router Your (first) LAN 10.X.0.1 


interface IP 


Central router 


ISDN switch type 


primary-5ess 


Central router ISDN number 555X100 
Central router Dialer 1 IP to branch 10.X.200.1 
Central router Your (second) WAN Serial 0/1 
interface type 
Serial 3/1 
Central router Your (second) WAN 10.X.150.1 
interface IP address 
Central router Frame Relay DLCI X12 
Central router Initial config file name PXc8 
Central router TFTP server address 10.X.0.200 
Branch router Your (first) LAN FastEthernetO 
interface type 
EthernetO 
Branch router Your (first) LAN 10.X.10.2 
interface IP 
Branch router ISDN interface IP to 10.X.200.2 
central 
Branch router ISDN switch type basic-5ess 
Branch router ISDN number 555X200 
Branch router Dialer 1 IP to central 10.X.200.2 
Branch router Your (second) WAN Serial 1 
interface type 
Branch router Your (second) WAN 10.X.150.2 
interface IP address 
Branch router Frame Relay DLCI X21 
Branch router Initial config file name PXb8 
Branch router TFTP server address 10.X.10.200 
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Setup Tasks 


From your PC, establish a Telnet connection to the terminal server and open a console 
connection to the branch router of your pod. 


From your PC, establish a Telnet connection to the terminal server again and open a second 
console connection to the central router of your pod. 


You will now be able to configure and observe output on both routers simultaneously. 


TFTP the appropriate preconfiguration files to the central and branch routers and reload the 
routers. 


Verify that your central site router and branch office routers each have a Frame Relay 
connection to the service provider cloud. 


Verify that your central site router and branch office routers each have an ISDN connection to 
the service provider cloud. 


As a part of the preconfiguration, a map-class named BACKUP has been enabled on the Frame 
Relay interface. Frame Relay end-to-end keepalives (EEKs) have been enabled in the map class 
so that the routers will be notified when the link is down. 


Verify that you have connectivity between the central and branch routers by executing a ping 
between the ISDN link and the Frame Relay link. 


Verify on the branch router that you have the central LAN interface network in the routing 
table. 


Verify on the central router that you have the branch router LAN interface in the routing table. 
Note As a part of the preconfiguration, it should be noted that the ISDN link is being activated by 


EIGRP. When you have completely configured both routers for backup operation, the ISDN 
line will no longer be brought up unless the Frame Relay interface is disabled. 


Copyright © 2004, Cisco Systems, Inc. Lab Guide 113 


Task 1: Establishing a Backup Connection on the Central 
Router 


On the central router, you have a Frame Relay primary connection and an ISDN backup 
connection to the branch router. 


Exercise Procedure 


Complete these steps: 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


On the central site router, verify that the dialer interface is spoofing with the show 
interface dialer 1 command. Output should be similar to the following: 


CENTRAL X# show interfaces dialer 1 
Dialerl is up, line protocol is up (spoofing) 
<Output omitted> 


Using the command list, configure the dialer 1 interface to back up the serial Frame 
Relay subinterface. 


The dialer | interface should dial the branch router 20 seconds after the central 
router detects a Frame Relay connection failure. The ISDN line should also 
disconnect 40 seconds after Frame Relay connection is restored. Using the 
command list, configure this feature on the central router. 


Save your configuration. 


Proceed to Task 2. 


Task 2: Configuring Backup Operation on the Branch Router 


On the branch router, you have a Frame Relay connection and an ISDN backup connection to 
the central router. You must now configure the branch router to compliment the backup 
operation configuration at the central site router. 


Exercise Procedure 


Complete these steps: 
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Step 1 


What is it about EIGRP that is bringing the ISDN connection up and down? 


Note 


Step 2 


Step 3 


The ISDN connection is already operational from the preconfiguration. This was 
done so that you could verify its operation prior to configuring the backup. You will 
now need to remove the dialer list to prevent the branch router from also bringing up 
the ISDN connection for EIGRP. 


It is always best practice to verify basic connectivity and operation before implementing 
more advanced configurations and technologies. 


Create an extended access-list 101 that denies EIGRP but allows all other IP traffic. 


Now you must configure the branch router with a new dialer list that matches 
interesting traffic based on the access-list 101, and which will bring up the ISDN 
backup connection for interesting traffic other than EIGRP. 
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Task 3: Verifying and Enabling the Dial Backup 


Use the following steps to verify and enable the dial backup. 


Exercise Procedure 


Complete these steps: 


Step 1 


Step 2 


Step 3 


Step 4 
Step 5 


Step 6 


Step 7 


Step 6 


Step 7 


Step 8 


On the central site router, enter the show interface dialer 1 command to verify that 
dialer | is in standby mode. 


Use the show backup command and record the following information: 


Primary interface 


Backup interface 


Status 


Use the show ip route command to determine which interface is the preferred route 
to the branch router LAN interface network. Record the results. 


On the central office router, issue the command debug backup. 
Console into the branch office router. 


Shutdown the serial Frame Relay interface of the branch router and go back to the 
central router to examine the backup debugging events. 


After the backup dialer interface has made connection to the branch router, verify 
the status of the backup interface and record your results. 


Primary interface 


Backup interface 


Status 


Determine which interface is the preferred route to the branch router LAN interface 
network. Record the results: 


Notice that the access list at the branch router that denied EIGRP only kept EIGRP 
from bringing up the ISDN connection but not from distributing routes after the 
connection was made. 


From the branch office router, restore the Frame Relay interface and console back to 
the central router to observe the backup debugging output. 


After the debugging output has stated that the dialer 1 interface is in standby mode, 
verify that the central router is using the Frame Relay interface to the FastEthernet 
network of the branch router. 
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Exercise Verification 


You have completed this exercise when you attain these results: 


m If the secondary line came up upon failure of the primary line and the backup line went 
down shortly after the primary line reengaged. 


On the central router, verify that your configuration contains added lines similar to the 
following: 


int serial X/1.1 
backup interface dialer 1 ! Task 1 Step 2 
backup delay 20 40 ! Task 1 Step 3 


On the branch router, verify that your configuration contains added lines similar to the 


following: 

access-list 101 deny eigrp any any ! Task 2 Step 2 
access-list 101 permit ip any any ! Task 2 Step 
2 

dialer-list 1 protocol ip list 101 ! Task 2 Step 3 
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Lab Exercise Answer Key 


Lab Exercise 9-1: Enabling a Backup to a Primary Connection 


When you complete this lab exercise, your router configuration will be similar to the following, 


with differences that are specific to your pod. 


Branch Router End Configuration 
version 12.2 


service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 


hostname branch_3 


enable secret 5 $1SJrCHSwkvEFxkiU0OSf£tE6H.YEDE. 


! 
username central_3 password 0 cisco 
mmi polling-interval 60 
no mmi auto-configure 
no mmi pvc 
mmi snmp-timeout 180 
ip subnet-zero 
! 
! 
no ip domain-lookup 
! 
ip ssh time-out 120 
ip ssh authentication-retries 3 
isdn switch-type basic-5ess 
! 
! 
! 
! 
interface BRIO 
no ip address 
encapsulation ppp 
dialer pool-member 1 
isdn switch-type basic-5ess 
no cdp enable 


ppp authentication chap 
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interface FastEtherneto 
description This is the Ethernet network for the Branch router 
ip address 10.3.10.2 255.255.255.0 
speed auto 
no cdp enable 
! 
interface Serial0o 
no ip address 
encapsulation frame-relay 
shutdown 
! 
interface Seriall 
bandwidth 32 
no ip address 
encapsulation frame-relay 
frame-relay class BACKUPLAB 
! 
interface Seriall.1 point-to-point 
description This interface goes to Central 
ip address 10.3.150.2 255.255.255.0 
no cdp enable 
frame-relay interface-dlci 321 
! 
interface Dialerl 
description This dialer goes from Branch to Central 
ip address 10.3.200.2 255.255.255.0 
encapsulation ppp 
dialer pool 1 
dialer remote-name central_3 
dialer string 5553100 
dialer-group 1 
no cdp enable 
ppp authentication chap 
! 
router eigrp 100 
passive-interface FastEthernet0 
network 10.0.0.0 
no auto-summary 


no eigrp log-neighbor-changes 
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ip classless 

no ip http server 

ip pim bidir-enable 

! 

! 

! 

map-class frame-relay BACKUPLAB 
frame-relay end-to-end keepalive mode bidirectional 
frame-relay adaptive-shaping becn 

access-list 101 deny eigrp any any 

access-list 101 permit ip any any 

dialer-list 1 protocol ip list 101 


no cdp run 
! 

banner motd ~* 

Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 
branch branch branch branch branch branch branch branch 

Notes from the instructor: 

All local passwords should be set to "cisco" 


branch branch branch branch branch branch branch branch 


Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab8 Lab9 


A 
! 

line con 0 

exec-timeout 30 0 

logging synchronous level all 
history size 200 

line aux 0 

line vty 0 4 

exec-timeout 30 0 

password cisco 

logging synchronous 

login 

history size 200 

! 
no scheduler allocate 


end 
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Central Router End Configuration 
version 12.2 


service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 
hostname central _3 
! 
enable secret 5 $1SsFQNSFqoBYgbb6bbkpCé6ERDrkKg1 
! 
username branch_3 password 0 cisco 
ip subnet-zero 
! 
! 
no ip domain-lookup 
! 
! 
isdn switch-type primary-5ess 
call rsvp-sync 
! 
! 
! 
! 
! 
! 
controller T1 1/0 
framing esf 
linecode b8zs 
pri-group timeslots 1-24 
! 
! 
! 
interface Ethernet0/0 
description This is the Ethernet network for the Central router 
ip address 10.3.0.1 255.255.255.0 
half-duplex 
no cdp enable 
! 
interface Ethernet0/1 


no ip address 
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shutdown 

half-duplex 

no cdp enable 

! 
interface Seriall1/0:23 

no ip address 

encapsulation ppp 

dialer pool-member 1 

isdn switch-type primary-5ess 
no cdp enable 

ppp authentication chap 

! 
interface Serial3/0 

no ip address 

shutdown 

no cdp enable 

! 
interface Serial3/1 

bandwidth 128 

no ip address 

encapsulation frame-relay 
frame-relay class BACKUPLAB 

! 

interface Serial3/1.1 point-to-point 
description This interface goes to branch office 
backup delay 20 40 

backup interface Dialerl 

ip address 10.3.150.1 255.255.255.0 
no cdp enable 

frame-relay interface-dlci 312 
! 

interface Serial3/2 

no ip address 

shutdown 

no cdp enable 

! 

interface Serial3/3 

no ip address 

shutdown 


no cdp enable 
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! 
interface Dialerl 

description This dialer goes from Central to Branch 
ip address 10.3.200.1 255.255.255.0 
encapsulation ppp 

dialer pool 1 

dialer remote-name branch_3 

dialer string 5553200 

dialer-group 1 

no cdp enable 

ppp authentication chap 

! 
router eigrp 100 

passive-interface Ethernet0/0 

network 10.0.0.0 

no auto-summary 

! 

ip classless 
no ip http server 

! 

! 
map-class frame-relay BACKUPLAB 

frame-relay end-to-end keepalive mode bidirectional 
frame-relay adaptive-shaping becn 
dialer-list 1 protocol ip permit 
no cdp run 

! 

! 

dial-peer cor custom 

! 

! 

! 

! 
banner motd * 
Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 
central central central central central central central central 
Notes from the instructor: 


All local passwords should be set to "cisco" 
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central central central central central central central central 


Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 Lab9 


A 
! 

line con 0 

exec-timeout 30 0 

logging synchronous level all 
history size 200 

line 65 70 

flush-at-activation 
line aux 0 
line vty 0 4 

exec-timeout 30 0 

password cisco 

logging synchronous 

login 


history size 200 


end 
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Lab Exercise 10-1: Managing Network 
Performance Using CBWFQ and LLQ 


Complete this lab exercise to practice what you learned in the related module. 


Exercise Objective 
Upon completing this lab, you will be able to: 
m Use an access list to define the traffic of interest that you want to classify 
™ Configure a class map that associates an access list with a traffic class 
= Configure a policy map that associates a traffic class to a queue and guarantees bandwidth 
= Configure CBWFQ on an interface 
= Verify CBWFQ operation 


Visual Objective 


The figure illustrates what you will accomplish in this exercise. 


Legend 
Frame Relay ~~Z 


LAN 
Connection —_—_— 


Packet-Switched, 


Analog, ISON, 
and Internet 
Services 
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Command List 


The commands used in this exercise are described in the table here. 


Configuration Commands 


Command 


bandwidth percent 
bandwidth-allocation 


Description 


Used to configure the percentage of bandwidth to be allocated for 
a class 


class class-map-name 


Used to define a class within a policy map 


class-map {match-all | 


Used to configure quality of service (QoS) class maps. 


match-any} name 


match access-group 
access-list 


Used to define a match from an access list to a class-map 


policy-map name Used to create a traffic policy 


service-policy output Used to attach the traffic policy to the interface 


policy-map-name 


Used to display detailed information about the state of a PVC on 
a router 


show frame-relay pvc 
[dlci] 


show policy-map Used to display the configuration of all classes forming the 


[interface] specified service policy map 
priority bandwidth- Used within a policy map to define the priority bandwidth 
kbps 

Scenario 


Users at the branch office are reporting problems with traffic coming from the central site. 
HTTP packets are being dropped due to other network traffic that is on the Frame Relay link. 
Users at the central office have also been complaining that Telnet traffic going to the branch 
office is also being degraded. 


After studying traffic patterns, management has decided to allocate 50 percent of the available 
Frame Relay bandwidth for HTTP network traffic going to the branch office from the central 
office LAN connection. Another 25 percent of all network traffic traversing the Frame Relay 
link will be allocated to Telnet traffic coming from the central office LAN connection. All 
other traffic will contend for the remaining available Frame Relay bandwidth. 


As the lead network engineer, you have decided to implement class-based weighted fair 
queuing (CBWFQ) to support the management-defined QoS requirements. 
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Gather the information shown in this table prior to starting this lab. 


Pod Number 


Information Required 


Example (X is your 
pod number; all 
subnet masks are 


Write in the 
information for your 
pod 


255.255.255.0) 
Central router Your (first) LAN Ethernet 0/0 
interface type 
Central router Your (first) LAN 10.X.0.1 
interface IP 
Central router Your (second/Frame Serial 0/1 
Relay) WAN interface 
type Serial 3/1 
Central router Your (second/Frame 
Relay) WAN interface 10.X.150.1 
IP 
Central router Frame Relay DLCI X12 
Central router Initial config file name pXc9 
Central router TFTP server address 10.x.0.200 
Branch router Your (first) LAN FastEthernetO 
interface type 
EthernetO 
Branch router Your (first) LAN 10.X.10.2 
interface IP 
Branch router Your (second/Frame Serial 1 
Relay) WAN interface 
type 
Branch router Your (second/Frame 10.X.150.2 
Relay) WAN interface 
IP 
Branch router Frame Relay DLCI X21 
Branch router Initial config file name PXb9 Branch Router 
Branch router TFTP server address 10.X.10.200 Branch Router 
SOHO router Your (first) LAN Ethernet 0 
interface type 
SOHO router Your (first) LAN 10.X.10.3 
interface IP 
SOHO router Loopback 42 IP 10.X.42.3 
SOHO router Loopback 43 IP 10.X.43.3 
SOHO router Loopback 44 IP 10.X.44.3 
SOHO router initial config file name PXc9 
SOHO router TFTP server address 10.X.100.200 
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Setup Tasks 


From your PC, establish a Telnet connection to the terminal server and open a console 
connection to the central router of your pod. 


From your PC, establish a Telnet connection to the terminal server again and open a second 
console connection to the branch router of your pod. 


From your PC, establish a Telnet connection to the terminal server again and open a third 
console connection to the SOHO router of your pod. 


You will now be able to configure and observe output on all routers simultaneously. 


TFTP the appropriate preconfiguration files to the central, branch, and SOHO routers, then 
reload the routers. 


Verify that your central site and branch office routers each have a Frame Relay connection to 
the service provider cloud. 


The SOHO site is located near the branch site and connects to it via a LAN network 
connection. The SOHO router will be used to generate IP traffic to test QoS configurations on 
the Frame Relay connection. Three loopback interfaces have been configured on the SOHO 
router for the extended ping tests, which will simulate user traffic. 


Verify that you have connectivity between the central and branch routers by executing a ping 
between Frame Relay links. 


Verify that you can execute an extended ping from the three loopback interfaces of the SOHO 
router to the LAN IP address of the central router. 


Task 1: Configuring a Class Map and Policy Map for CBWFQ 


Use the following steps to configure a class map and policy map for CBWFQ. 


Exercise Procedure 


Complete these steps: 


Step 1 On a central site router, create an extended IP access list 100 to permit HTTP traffic 
requests coming from the LAN network of the central site to go to the LAN network 
of the branch site. 


Step 2 Create an extended IP access list 101 to permit Telnet traffic requests originating 
from the LAN network of the central site to go to the LAN network of the branch 
site. 


Step 3 Using the command list, create a class map named HTTP-CLASS and configure a 
match condition with access list 100. 


Step 4 Using the command list, create a class map named TELNET-CLASS and configure 
a match condition with access list 101. 


Step 5 Create a policy map named CBWFQ-CENTRAL. 
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Step 6 In the policy map, create a traffic policy for class HTTP-CLASS, allocating a 
minimum of 50 percent of the available bandwidth. Under the same policy map, 
create a traffic policy for class TELNET-CLASS allocating a minimum of 25 
percent of the available bandwidth. 


Step 7 Apply the policy-map CBWFQ-CENTRAL to the Frame Relay traffic shaping map 
class TSLAB. 


Step 8 You have now configured QoS for the users at the central site accessing the LAN 
network of the branch office. Save the central router configuration. 


Step 9 Proceed to Task 2. 


Task 2: Verifying the CBWFQ Configuration on the Central 
Router 


Use the following steps to verify the CBWFQ configuration on the central router. 


Exercise Procedure 


128 


Complete these steps: 


Step 1 On the central site router, use the show commands that are listed in the command 
list to complete the following information: 


Bandwidth allocated to the HTTP-CLASS: 
Bandwidth offered rate for the HTTP-CLASS: 
Bandwidth allocated to the TELNET-CLASS: 
Bandwidth offered rate for the TELNET-CLASS: 
Step 2 What command would you use to verify that the CBWFQ is applied correctly to 


your Frame Relay interface to display the following information: 


<Output Omitted> 
Shaping adapts to BECN 


pvc create time 01:05:49, last time pvc status changed 


00:52:48 
cir 9600 be 9600 be 0 byte limit 150 
interval 125 
mincir 4800 byte increment 150 Adaptive Shaping BECN 
pkts 800 bytes 52000 pkts delayed 8 bytes 


delayed 832 
shaping inactive 
traffic shaping drops 0 
service policy CBWFQ-CENTRAL 
<Output Omitted > 
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What command did you enter? 


Step 3 


Proceed to Task 3. 


Task 3: Implementing LLQ and CBWFQ on the Branch Router 


Use the following steps to configure LLQ and CBWFQ on the branch router. 


Exercise Procedure 


Complete these steps: 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Step 7 


Step 8 


Step 9 


Step 10 


On the branch router, create an extended IP access list 102 to permit traffic from the 
loopback 42 interface of the SOHO site to the LAN network of the central site. This 
is to simulate all low-latency dependent traffic flow such as voice over IP and will 
be your low latency queuing (LLQ). 


Create an extended IP access list 103 to permit traffic from the loopback 43 interface 
of the SOHO site to the LAN network of the central site. 


Create an extended IP access list 104 to permit traffic from the loopback 44 interface 
of the SOHO site to the LAN network of the central site. This will simulate another 
data-only traffic flow that is vital, but again there are no low-latency requirements 
and it will use CBWFQ. 


Using the command list, create a class map named LLQ-102-CLASS and configure 
a match condition with access list 102. 


Using the command list, create a class map named CBWFQ-103-CLASS and 
configure a match condition with access list 103. 


Using the command list, create a class map named CBWFQ-104-CLASS and 
configure a match condition with access list 104. 


Create a policy map named CBWFQ-BRANCH. 


Create a traffic policy for the class of traffic named LLQ-102-CLASS, specifying a 
priority of 8 kbps. This will be your priority queue used to implement LLQ and will 
service traffic coming from loopback 42 at the SOHO router. Loopback 42 can be 
considered a voice-enabled resource that is sensitive to delay and jitter. For users at 
the central site, you want to ensure the quality of the voice being transmitted across 
the Frame Relay link. 


Why will LLQ support voice traffic? 


Create a traffic policy for the class of traffic named CBWFQ-103-CLASS, 
specifying a bandwidth of 25 percent. This will be your CBWFQ queue that will 
service traffic coming from loopback 43 at the SOHO router. As such, you want to 
guarantee a minimum percentage of the available bandwidth after the LLQ uses its 8 
kbps. 
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Step 11 


Step 12 


Step 13 


Step 14 


Create a traffic policy for the class of traffic named CBWFQ-104-CLASS, 
specifying a bandwidth of 25 percent. This will be your CBWFQ queue that will 
service traffic coming from loopback 44 at the SOHO router. As such, you want to 
guarantee a minimum percentage of the available bandwidth after the LLQ uses its 8 
kbps. The queues servicing loopbacks 43 and 44 will be in contention for the 
remaining bandwidth across the Frame Relay link. 


Apply the policy map CBWFQ-BRANCH to the Frame Relay traffic shaping map 
class TSLAB. 


You have now configured QoS for the users at the LAN network of the branch office 
accessing the central site. Save the configuration of the branch office router. 


Proceed to Task 4. 


Task 4: Verifying the CBWFQ/LLQ Configuration on the Branch 


Router 


You will now verify the CBWFQ/LLQ configuration on the branch router using the following 


procedure. 


Exercise Procedure 


Complete these steps: 
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Step 1 


Step 2 


On the branch site router, use the show commands listed in the command list to 
complete the following information: 

Bandwidth allocated to the LLQ-102-CLASS: 

The amount of burst that LLQ-102-CLASS is allowed: 


Bandwidth allocated to the CBWFQ-103-CLASS: 


Bandwidth allocated to the CBWFQ-104-CLASS: 


Proceed to Task 5 
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Task 5: Generating Traffic from the SOHO Router to Congest 
the Branch-to-Central Frame Relay Link 


You will establish three connections to the SOHO router to generate significant network traffic. 
You must accomplish all three extended ping sessions in a timely manner to congest the Frame 
Relay link between the branch and central site. Read these steps before attempting to complete 


this task. 


Exercise Procedure 


Complete these steps: 


Step 1 


Step 2 


Step 3 
Step 4 


Step 5 


Step 6 


Step 7 


Step 8 


Step 9 


Step 10 


Note 


Enter the console session to the SOHO router. 


Execute an extended ping to the LAN interface of the central router, using the 
loopback 42 address as the source address. In addition, use 2000 as the ping repeat 
count with a datagram size of 60 bytes. This will simulate a voice-over-IP data flow 
for which you configured LLQ. 


While the extended ping is ongoing, enter the console to the central router. 
Establish a Telnet session to the SOHO router from the central router. 


Execute another extended ping to the LAN interface of the central router using the 
loopback 43 address as the source address. In addition, use 1500 as the ping count 
with a datagram size of 1500 bytes. This will simulate the IP data flow that will use 
CBWFQ. 


While that extended ping is ongoing, suspend the Telnet session by pressing Ctrl- 
shift-6 twice, and then pressing Ctrl-x. You should now be at the prompt of the 
central router. 


Establish a second Telnet session into the SOHO router from the central router. 


Execute another extended ping to the LAN interface of the central router, using the 
loopback 44 address as the source address. In addition, use 1500 as the ping count 
with a datagram size of 1500 bytes. This will simulate the other IP data flow that 
will use CBWFQ. 


Enter the console session of the branch router. 


On the branch site router, use the show commands that are listed in the command 
list repeatedly to complete the following information: 


It will take a few minutes before the CBWFQs reach their maximum threshold of 64 packets 
and begin to start dropping packets. 


Bandwidth allocated to the LLQ-102-CLASS: 


Bandwidth allocated to the CBWFQ-103-CLASS: 


Bandwidth allocated to the CBWFQ-104-CLASS: 
Drop rate for the CBWFQ-103-CLASS: 
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Drop rate for the CBWFQ-104-CLASS: 


Exercise Verification 


You have completed this exercise when you attain these results: 


m= If you were able to configure and verify that CBWFQ and LLQ were configured properly. 


On the central router, verify that your configuration contains added lines similar to the 


following: 
class-map match-all TELNET-CLASS ! Task 1 Step 4 
match access-group 101 ! Task 1 Step 4 
class-map match-all HTTP-CLASS ! Task 1 Step 3 
match access-group 100 ! Task 1 Step 3 
policy-map CBWFQ-CENTRAL ! Task 1 Step 6 
class HTTP-CLASS ! Task 1 Step 7 
bandwidth percent 50 ! Task 1 Step 7 
class TELNET-CLASS ! Task 1 Step 7 
bandwidth percent 25 ! Task 1 Step 7 
map-class frame-relay TSLAB ! from preconfig 
frame-relay cir 128000 ! from preconfig 
frame-relay be 32000 ! from preconfig 
frame-relay traffic-rate 96000 128000 ! from preconfig 
no frame-relay adaptive-shaping ! from preconfig 
service-policy output CBWFQ-CENTRAL ! Task 1 step 8 


access-list 100 permit tcp 10.X.0.0 0.0.0.255 eq www 10.X.10.0 
0.0.0.255 ! Task 1 step 1 


access-list 101 permit tcp 10.X.0.0 0.0.0.255 eq telnet 10.X.10.0 
0.0.0.255 ! Task 1 step 2 


On the branch router, verify that your configuration contains lines similar to the following: 


class-map match-all LLQ-102-CLASS ! Task 3 Step 4 
match access-group 102 ! Task 3 Step 4 
class-map match-all CBWFQ-103-CLASS ! Task 3 Step 5 
match access-group 103 ! Task 3 Step 5 
class-map match-all CBWFQ-104-CLASS ! Task 3 Step 6 
match access-group 104 ! Task 3 Step 6 
policy-map CBWFQ-BRANCH ! Task 3 Step 7 
class LLQ-102-CLASS ! Task 3 Step 8 
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priority 8 ! Task 3 Step 8 

class CBWFQ-103-CLASS ! Task 3 Step 9 

bandwidth percent 25 ! Task 3 Step 9 
class CBWFQ-104-CLASS ! Task 3 Step 10 
bandwidth percent 25 ! Task 3 Step 10 
map-class frame-relay TSLAB ! from preconfig 
frame-relay cir 28000 ! from preconfig 
frame-relay mincir 16000 ! from preconfig 
frame-relay be 4000 ! from preconfig 
frame-relay traffic-rate 8000 8000 ! from preconfig 
no frame-relay adaptive-shaping ! from preconfig 
service-policy output CBWFQ-BRANCH ! Task 3 step 11 


access-list 102 permit ip host 10.X.42.3 10.X.0.0 0.0.0.255! Task 3 
step 2 


access-list 103 permit ip host 10.X.43.3 10.X.0.0 0.0.0.255! Task 3 
step 3 


access-list 104 permit ip host 10.X.44.3 10.X.0.0 0.0.0.255! Task 3 
step 4 
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Lab Exercise Answer Key 
Lab Exercise 10-1: Managing Network Performance Using CBWFQ and LLQ 


When you complete this lab exercise, your router configuration will be similar to the following, 
with differences that are specific to your pod. 


Branch Router End Configuration 
version 12.2 


service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 
hostname branch_3 
! 
enable secret 5 $1$tq5Y$vypkD8k41/haNVuHZwdo. / 
! 
memory-size iomem 25 
mmi polling-interval 60 
no mmi auto-configure 
no mmi pvc 
mmi snmp-timeout 180 
ip subnet-zero 
! 
! 
no ip domain-lookup 
! 
ip ssh time-out 120 
ip ssh authentication-retries 3 
! 
class-map match-all LLQ-102-CLASS 
match access-group 102 
class-map match-all CBWFQ-104-CLASS 
match access-group 104 
class-map match-all CBWFQ-103-CLASS 
match access-group 103 
! 
! 
policy-map CBWFQ-BRANCH 
class LLQ-102-CLASS 
priority 8 
class CBWFQ-103-CLASS 
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bandwidth percent 25 
class CBWFQ-104-CLASS 
bandwidth percent 25 


interface BRIO 


no ip address 
shutdown 


no cdp enable 


interface FastEthernet0O 


description This is the Ethernet network for the Branch router 


ip address 10.3.10.2 255.255.255.0 
speed auto 


no cdp enable 


interface Serial0 


no ip address 
shutdown 


no cdp enable 


interface Seriall 


bandwidth 32 

no ip address 
encapsulation frame-relay 
no fair-queue 


frame-relay traffic-shaping 


interface Seriall.1 point-to-point 


description This interface goes to Central 
ip address 10.3.150.2 255.255.255.0 

no cdp enable 

frame-relay class TSLAB 


frame-relay interface-dlci 321 


ip classless 


ip route 0.0.0.0 0.0.0.0 10.3.150.1 
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ip route 10.3.40.0 255.255.248.0 10.3.10.3 
no ip http server 
ip pim bidir-enable 
! 
! 
! 
map-class frame-relay TSLAB 
frame-relay cir 28000 
frame-relay be 4000 
frame-relay mincir 16000 
frame-relay traffic-rate 8000 8000 
no frame-relay adaptive-shaping 
service-policy output CBWFQ-BRANCH 
access-list 102 permit ip host 10.3.42.3 10.3.0.0 0.0.0.255 
access-list 103 permit ip host 10.3.43.3 10.3.0.0 0.0.0.255 
access-list 104 permit ip host 10.3.44.3 10.3.0.0 0.0.0.255 


no cdp run 
! 
A 


banner motd 


Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 
Lab10 


branch branch branch branch branch branch branch branch 
Notes from the instructor: 

All local passwords should be set to "cisco" 

branch branch branch branch branch branch branch branch 


Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 
Lab10 


A 
! 

line con 0 

exec-timeout 30 0 

logging synchronous level all 
history size 200 

line aux 0 

line vty 0 4 

exec-timeout 30 0 

password cisco 

logging synchronous 


login 
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history size 200 


end 


Central Router End Configuration 
version 12.2 


service timestamps debug uptime 
service timestamps log uptime 

no service password-encryption 
! 
hostname central_3 
! 
enable secret 5 $1$FDyOSnf5uluCduC8FKzMNZCfde/ 
! 
ip subnet-zero 
! 
! 
no ip domain-lookup 
! 
! 
class-map match-all TELNET-CLASS 

match access-group 101 
class-map match-all HTTP-CLASS 

match access-group 100 
! 
! 
policy-map CBWFQ-CENTRAL 

class HTTP-CLASS 

bandwidth percent 50 

class TELNET-CLASS 

bandwidth percent 25 
! 
! 
call rsvp-sync 
! 
! 
! 
! 
! 
! 


controller T1 1/0 
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framing sf 

linecode ami 

! 

! 

! 

interface Ethernet0/0 

description This is the Ethernet network for the Central router 
ip address 10.3.0.1 255.255.255.0 
half-duplex 

no cdp enable 

! 
interface Ethernet0/1 

no ip address 

shutdown 

half-duplex 

no cdp enable 

! 
interface Serial3/0 

no ip address 

shutdown 

no cdp enable 

! 
interface Serial3/1 

bandwidth 128 

no ip address 

encapsulation frame-relay 

no fair-queue 

frame-relay traffic-shaping 

! 
interface Serial3/1.1 point-to-point 
description This interface goes to branch office 
ip address 10.3.150.1 255.255.255.0 
no cdp enable 

frame-relay class TSLAB 

frame-relay interface-dlci 312 

! 
interface Serial3/2 

no ip address 

shutdown 


no cdp enable 
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! 
interface Serial3/3 
no ip address 
shutdown 
no cdp enable 
! 
ip classless 
ip route 0.0.0.0 0.0.0.0 10.3.150.2 
no ip http server 
! 
! 
map-class frame-relay TSLAB 
frame-relay cir 128000 
frame-relay be 32000 
frame-relay traffic-rate 96000 128000 
no frame-relay adaptive-shaping 
service-policy output CBWFQ-CENTRAL 


access-list 100 permit tcp 10.3.0.0 0.0.0.255 eq www 10.3.10.0 
0.0.0.255 


access-list 101 permit tcp 10.3.0.0 0.0.0.255 eq telnet 10.3.10.0 
0.0.0.255 


no cdp run 

! 

! 

dial-peer cor custom 
! 

! 

! 

! 

banner motd * 


Lab10 Lab9 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 
Lab10 


central central central central central central central central 
Notes from the instructor: 

All local passwords should be set to "cisco" 

central central central central central central central central 


Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 
Lab10 


Copyright © 2004, Cisco Systems, Inc. Lab Guide 139 


line con 0 
exec-timeout 30 0 
logging synchronous level all 
history size 200 

line 65 70 
flush-at-activation 

line aux 0 

line vty 0 4 
exec-timeout 30 0 
password cisco 
logging synchronous 
login 
history size 200 
! 


end 


SOHO Router End Configuration 


version 12.2 

service timestamps debug uptime 

service timestamps log uptime 

no service password-encryption 

! 

hostname soho_3 

! 

enable secret 5 $1$aNN7Sa0cNnou/3pPLS5d5ZRy8b1 
! 

ip subnet-zero 

no ip domain-lookup 

! 

! 

! 

! 

! 

interface Loopback42 

description loopback used to generate 60 byte voice traffic 
ip address 10.3.42.3 255.255.255.0 

! 

interface Loopback43 

description loopback used to generate 1500 byte traffic 
ip address 10.3.43.3 255.255.255.0 
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interface Loopback44 
description loopback used to generate 1500 byte traffic 
ip address 10.3.44.3 255.255.255.0 
! 
interface Ethernet0 
description This is the Ethernet network for the SOHO router 
ip address 10.3.100.3 255.255.255.0 secondary 
ip address 10.3.10.3 255.255.255.0 
no cdp enable 
! 
interface BRIO 
no ip address 
encapsulation hdlc 
shutdown 
no cdp enable 
! 
ip classless 
ip route 0.0.0.0 0.0.0.0 10.3.10.2 
no ip http server 
! 
no cdp run 
banner motd * 


Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 
Lab10 


soho soho soho soho soho soho soho soho soho soho soho soho 
Notes from the instructor: 

All local passwords should be set to "cisco" 

soho soho soho soho soho soho soho soho soho soho soho soho 


Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 Lab10 
Lab10 


! 

line con 0 

exec-timeout 30 0 

logging synchronous level all 
history size 200 

line vty 0 4 

exec-timeout 30 0 


password cisco 
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logging synchronous 
login 


history size 200 


end 
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Lab Exercise 11-1: Using AAA to Scale Access 
Control 


Complete the lab exercise to practice what you learned in the related module. 


Exercise Objective 
In this exercise you will complete the following tasks: 


™ Configure the central router for AAA authentication to a Cisco Secure ACS server for user 
Telnet sessions 


= Configure the central router for AAA authorization to a Cisco Secure ACS server to 
authorize users for different EXEC privilege levels 


= Configure the central router for AAA accounting to a Cisco Secure ACS server to record 
accounting information for EXEC privileges committed and network access 


™ Configure the central router console port and virtual terminal lines for “back door” access 
in the event of a Cisco Secure ACS server failure 


Visual Objective 


The figure illustrates what you will accomplish in this exercise. 


Dedicated 
Serial Link — 
Cisco Secure 
Legend ACS 
*s 


Serial oe 


LAN 
Connection = 


Branch 
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Command List 


The commands used in this exercise are described in the table here. 


144 


Helpful Commands 


Command 


aaa accounting exec 
default start-stop 
group TACACS+ 


Description 


Specifies that start-stop accounting will be used on all EXEC 
processes 


aaa accounting network 
default start-stop 
group TACACS+ 


Specifies that start-stop accounting will be used on all network 
processes 


aaa authentication 
login no _tacacs enable 


Specifies that the login authentication list that no_tacacs is to use 
the enable password for authentication 


aaa authentication 
login telnet-order 
group TACACS+ local 


Specifies the order of authentication methods for login attempts 


aaa authorization exec 
default group tacacs 


Specifies that authorization for EXEC processes will be from 
TACACS+ 


aaa new-model 


Enables authentication, authorization, and accounting (AAA) 
access control 


debug aaa accounting 


Displays the output of the AAA accounting process 


debug aaa Displays the output of the AAA authentication process 
authentication 

debug aaa Displays the output of the AAA authorization process 
authorization 


debug radius 


Displays the output of the AAA RADIUS process 


debug tacacs 


Displays the output of the AAA TACACS+ process 


debug tacacs events 


Displays the output of the AAA TACACS+ process 


login authentication 
no_tacacs 


Applies the list no_tacacs as the login authentication method 


radius-server host 
address 


Specifies the IP address of the RADIUS server 


radius-server key 
cisco 


Specifies a key of “cisco” for authentication between the access 
server and the RADIUS server 


reload cancel 


Stops a scheduled reload 


reload in hhh:mm 


Reloads the router in the event you lock yourself out 


tacacs-server host 
address single- 
connection 


Specifies the IP address of the TACACS+ server 


tacacs-server key 
cisco 


Specifies a key of “cisco” for authentication between the access 
server and the TACACS+ server 


username username 
password password 


Sets the username and password on the router for local 
authentication 


undebug all 


Disables all or specific debugging 
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Scenario 


You will configure the central router to use a preconfigured Cisco Secure TACACS+ Server 
that shares the Ethernet backbone with all the central routers. This process will allow you to 
centralize your authentication usernames and passwords, your authorization control processes, 
and all of your accounting records throughout your enterprise. 


Setup 


Gather the information shown in this table prior to starting this lab. 


Pod Number 


Information Required 


Example (X is your 
pod number; all 
subnet masks are 


Write in the 
information for your 
pod 


255.255.255.0) 

Central router Your (first) LAN Ethernet 0/0 
interface type 

Central router Your (first) LAN 10.X.0.1 
interface IP 

Central router Your (first) WAN Serial 0/0 
interface type Serial 3/0 

Central router Your (first) WAN 10.X.160.1 
interface IP 

Cisco Secure AAA IP address 10.X.0.200 

Server 

Branch router Your (first) LAN 10.X.10.2 


interface IP 


Branch router Your (first) LAN FastEthernet 0 


interface type 


Branch router Your (first) WAN Serial 0 
interface type 

Branch router Your (first) WAN 10.X.160.2 
interface IP 


Setup Tasks 


From your PC, establish a Telnet session on the terminal server and open a console connection 
to the branch router of your pod. 


From your PC, establish a Telnet session on the terminal server again and open a second 
console connection to the central router of your pod. 


You will now be able to configure and observe output on both routers simultaneously. 


Using the TFTP facility, copy the appropriate preconfiguration files to the central and branch 
routers, then reload. 


Verify the network connectivity by executing a ping from the branch router to the Cisco Secure 
TACACS+ Server. 
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Task 1: Preparing the Central Router for AAA Operation 


This task prepares the central router for AAA operation. 


Exercise Procedure 


Complete these steps: 


Step 1 Log in to the EXEC privilege mode on your central router. Enter the command 
reload in 60. 


Note If you make a mistake when you are configuring the router to use the AAA server for 
authentication, you may accidentally lock yourself out of the router. Executing a reload in 60 
(minutes) command will cause your router to reload automatically in 60 minutes. This action 
will insure that you will be able to recover from the mistake when the router reloads. Refer to 
your lab command reference list to cancel the reload operation. 


Step 2 Enable the AAA access control service. 


Step 3 Enter the command that will create an authentication list named no_tacacs using the 
enable secret password as the password for login authentications. 


Step 4 Configure your central router console to use the no_tacacs authentication list. This 
action will create a back door at the console to allow you to access the router 
without using the Cisco Secure ACS server by authenticating users with the enable 
secret password, which is stored locally. 


Step 5 Log out of the central router without closing the console session completely. 


Caution Do not save your configuration until you have completed Task 2 and tested it. 
Step 6 Proceed to Task 2. 


Task 2: Testing the Central Router Console Back Door 


This task will test how to gain access through the central router console back door. 


Exercise Procedure 


Complete these steps: 


Step 1 On the console session of your central router, press Return. You will be prompted 
for a password. 


Step 2 Enter the enable secret password. If your back door is configured properly, you will 
be granted access. 


If you were able to gain access to the console of your central router, save your 
configuration. 


Step 3 Proceed to Task 3. 
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Task 3: Configuring and Testing the Central Router for AAA 
Local User Authentication 


This task configures and tests the central router for AAA local user authentication. 


Exercise Procedure 


Complete these steps: 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 
Step 7 


Step 8 


At your central router, enable TACACS+ and AAA authentication debugging. 
Observe the debug output of the central router while completing the steps in this 
task. Look for any AAA authentication activity pertaining to the branch router. 


Open the branch router console session. 


From the branch router, attempt to establish a Telnet session on the central router 
using the username user and the password letmein. This attempt will be 
unsuccessful because this username and password are on the Cisco Secure ACS 
server. Your central router is configured to check only locally for usernames and 
passwords. 


From the branch router, attempt to establish a Telnet session on the central router 
using the username localuser and the password cisco. This attempt will be 
successful only after you have configured a local username and password on the 
central router. 


On the central router, configure the local username localuser and the password 
cisco. 


Repeat Step 4. You should now be able to access the central router. 
Disable all debugging on the central router and log out. 


Proceed to Task 4. 


Task 4: Configuring and Testing the Central Router for AAA 
TACACS+ User Authentication 


This task configures and tests the central router for AAA TACACS-+ user authentication. 


Exercise Procedure 


Complete these steps: 


Step 1 


Step 2 


Step 3 


Configure your central router with the address of the Cisco Secure ACS server and 
the key cisco for the AAA service using the TACACS+ protocol. 


Configure your central router with the same key for the AAA service, but use the 
RADIUS protocol. 


Configure a login authentication list named telnet-order. The list should be 
configured in such a way that Telnet sessions would be authenticated by the Cisco 
Secure ACS server using the TACACS+ protocol first and then by the local 
username and password if the Cisco Secure ACS server were unreachable. 
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Step 4 Configure the central router virtual terminal lines to use the telnet-order 
authentication list when authenticating Telnet sessions. 


Step 5 Enable both TACACS+ and TACACS+ events debugging. Observe the debug 
output on the central router while performing the next steps. 


Step 6 From the branch router,, establish a Telnet session on the central router with the 
username localuser and the password cisco. You will not be successful because you 
are now using the Cisco Secure ACS server as your ACS server, where the username 
localuser is not configured. 


Step 7 Again, attempt to establish a Telnet session from the branch router to the central 
router, but use the username user and the password letmein. You will succeed 
because the Cisco Secure ACS server has been preconfigured with that username 
and password. 


Step 8 Exit to the branch router. 


While you were executing the unsuccessful login in Steps 6 and 7, the central router should 
have generated TACACS+ debug output similar to this: 


00:47:15: TAC+: Using default tacacs server-group "tacacs+" 
list. 


00:47:15: TAC+: Opening TCP/IP to 10.1.0.200/49 timeout=5 


00:47:15: TAC+: Opened TCP/IP handle 0x62A17ADC to 
10.1.0.200/49 


<Output omitted> 


00:47:15: TAC+: ver=192 id=1628988694 received AUTHEN status 
GETUSER 


<Output omitted> 


00:47:21: TAC+: ver=192 id=1628988694 received AUTHEN status 
GETPASS 


<Output omitted> 


00:47:24: TAC+: ver=192 id=1628988694 received AUTHEN status 
FAIL 


A successful login would look similar to this: 


00:47:44: TAC+: Using default tacacs server-group "tacacs+" 
list. 


<Output omitted> 
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Step 9 


Step 10 


00:47:45: TAC+: ver=192 id=3696549381 received AUTHEN status 
GETUSER 


<Output omitted> 


00:47:49: TAC+: ver=192 id=3696549381 received AUTHEN status 
GETPASS 


<Output omitted> 


00:47:51: TAC+: ver=192 id=3696549381 received AUTHEN status 
PASS 


Disable all debugging. 
Proceed to Task 5. 


Task 5: Configuring and Testing the Central Router AAA EXEC 


Authorization 


This task configures and tests the central router AAA EXEC authorization. 


Exercise Procedure 


Complete these steps: 


Step 1 


Step 2 


Note 


Step 3 


Step 4 


Note 


Enable AAA authorization, TACACS+, and TACACS+ events debugging at the 
central router and observe the debug output while completing the next steps. 


Establish a Telnet session from the branch router to the central router using the 
username superuser and the password root. This username and password have also 
been preconfigured on the Cisco Secure ACS server. 


As indicated by the prompt you see on completing Step 2, the username superuser is in 
user EXEC mode. To be authorized to use the higher-level commands available in privileged 
EXEC mode, you would have to supply the local enable secret password. 


Exit to the branch router. 


On the central router, configure AAA authorization for the privileged EXEC mode 
using the Cisco Secure ACS server and the default authorization list. 


Ignore the following console message: 
02:23:33: AAA/AUTHOR: config command authorization not enabled 
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Step 5 


Step 6 


Step 7 


Note 


Step 8 


Note 


Step 9 


Establish a Telnet session from the branch router to the central router using the 
username superuser and the password root. You should automatically be placed in 
privileged EXEC mode because the Cisco Secure ACS server has authorized the 
user superuser. There is no need to supply the local enable secret password to use 
privileged EXEC commands. This output indicates that authorization for the EXEC 
process is functioning. 


Exit to the branch router. 


Again establish a Telnet session from the branch router to the central router using 
the username user with the password letmein. 


Because the user user has been preconfigured on the Cisco Secure ACS server, you are 
able to authenticate and access user EXEC mode. However, you would have to supply the 
local enable secret password to access privileged EXEC mode. 


While logged into the central router as the user user, enter the privileged EXEC 
mode. 


Notice the difference between authentication and authorization. The user user is still able 
gain access to the privileged user EXEC mode by providing the local enable secret 
password, which is still the configured enable authentication method. The lack of 
authorization does not prohibit that access. 


Exit to the branch router. 


While you completed Task 5, the central router should have generated AAA TACACS+ and 
authorization debug output similar to the following user debug output: 


<Output omitted> 


01:36:57: TAC+: periodic timer stopped (queue empty) 


01:36:57: TAC+: (793171495): received author response status = 
PASS ADD 


01:36:57: TAC+: Closing TCP/IP 0x62A2FB88 connection to 
10.1.0.200/49 


The following is an example of how the superuser debug output should look: 


01:00:31: TAC+: 10.1.0.200 req=62A30D58 Qd id=88587168 ver=192 
handle=0x62A19238 (ESTAB) expire=5 AUTHOR/START queued 


<Output omitted> 


01:00:31: TAC+: (88587168) AUTHOR/START processed 


<Output omitted> 
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01:00:31: TAC+: (88587168): received author response status = 
PASS ADD 


01:00:31: TAC+: Closing TCP/IP 0x62A19238 connection to 
10.1.0.200/49 


01:00:31: TAC+: Received Attribute "priv-lvl=15" 


The following is an example of how the user AAA authorization debug output 
should look: 


<Output omitted> 


16:26:47: tty6é6é AAA/AUTHOR/EXEC (2667327940) : Port='tty66' 
list='' service=EXEC 


16:26:47: AAA/AUTHOR/EXEC: tty66 (2667327940) user='user' 


16:26:47: tty6é6é AAA/AUTHOR/EXEC (2667327940): send AV 
service=shell 


16:26:47: tty66 AAA/AUTHOR/EXEC (2667327940): send AV cmd* 


16:26:47: tty66 AAA/AUTHOR/EXEC (2667327940): found list 
"default" 


16:26:47: tty6é6é AAA/AUTHOR/EXEC (2667327940): Method=tacacs+ 
(tacacs+) 


16:26:47: AAA/AUTHOR/TAC+: (2667327940): user=user 
16:26:47: AAA/AUTHOR/TAC+: (2667327940): send AV service=shell 
16:26:47: AAA/AUTHOR/TAC+: (2667327940): send AV cmd* 


16:26:47: AAA/AUTHOR (2667327940): Post authorization status = 
PASS ADD 


16:26:47: AAA/AUTHOR/EXEC: Authorization successful 


<Output omitted> 


16:28:21: AAA/MEMORY: free_user (0x822A7244) user='user' 
ruser='NULL' port='tty6 


6' rem_addr='10.5.160.2' authen_type=ASCII service=LOGIN 
priv=1 


Step10 Disable AAA authorization debugging at the central router. 


Step11 Proceed to Task 6. 
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Task 6: Configuring and Testing the Central Router AAA EXEC 


Accounting 


This task configures and tests the central router AAA EXEC accounting. 


Exercise Procedure 


Complete these steps: 


152 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Enable AAA accounting debugging at the central router and observe the debug 
output while completing the next steps. 


Configure the central router to enable AAA accounting for the starting and stopping 
of EXEC mode processes for the default accounting list. The accounting information 
should be logged to the Cisco Secure ACS server, where a report will be generated 
when a user starts and stops the EXEC process where commands are issued. 


Establish a Telnet session from the branch router to the central router using the 
username user and the password letmein. When the user user has been 
authenticated, EXEC processes are started and will be logged. 


Exit to the branch router. 


Establish a Telnet session from the branch router the central router using the 
username superuser and the password root. Note that the privileged EXEC level is 
not indicated in the accounting debug output. This result is because the central router 
has been configured to log only the start and stop of the EXEC process, the 
equivalent of a user successfully logging into and out of the router. 


Verify that as you performed the previous steps, the central site router generated 
AAA TACACS-+ and accounting debug output similar to the following: 


01:47:51: TAC+: 10.1.0.200 req=62A306A4 Qd id=1071385788 
ver=192 handle=0x6298CD54 (ESTAB) expire=5 ACCT/REQUEST/START 
queued 


01:47:51: TAC+: 10.1.0.200 (1071385788) ACCT/REQUEST/START 
queued 


01:47:51: TAC+: 10.1.0.200 ESTAB id=1071385788 wrote 78 of 78 
bytes 


01:47:51: TAC+: 10.1.0.200 req=62A306A4 Qd id=1071385788 
ver=192 handle=0x6298CD54 (ESTAB) expire=4 ACCT/REQUEST/START 
sent 


<Output omitted> 


01:47:51: TAC+: req=62A306A4 Tx id=1071385788 ver=192 
handle=0x6298CD54 (ESTAB) expire=4 ACCT/REQUEST/START 
processed 


01:47:51: TAC+: (1071385788) ACCT/REQUEST/START processed 
01:47:51: TAC+: periodic timer stopped (queue empty) 


01:47:51: TAC+: (1071385788): received acct response status = 
SUCCESS 
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<Output omitted> 


01:47:57: TAC+: 10.1.0.200 req=62A3036C Qd id=3937240687 
ver=192 handle=0x6298D1F0O (ESTAB) expire=5 ACCT/REQUEST/STOP 
queued 


01:47:57: TAC+: 10.1.0.200 (3937240687) ACCT/REQUEST/STOP 
queued 


01:47:57: TAC+: 10.1.0.200 ESTAB id=3937240687 wrote 177 of 
177 bytes 


01:47:57: TAC+: 10.1.0.200 req=62A3036C Qd id=3937240687 
ver=192 handle=0x6298D1F0 (ESTAB) expire=4 ACCT/REQUEST/STOP 
sent 


<Output omitted> 


01:47:57: TAC+: req=62A3036C Tx id=3937240687 ver=192 
handle=0x6298D1F0 (ESTAB) expire=4 ACCT/REQUEST/STOP processed 


01:47:57: TAC+: (3937240687) ACCT/REQUEST/STOP processed 
01:47:57: TAC+: periodic timer stopped (queue empty) 


01:47:57: TAC+: (3937240687): received acct response status = 
SUCCESS 


15:22:44: AAA/ACCT/EXEC/START User user, port tty66 

15:22:44: AAA/ACCT/EXEC: Found list "default" 

15:22:44: AAA/ACCT/EXEC/START User user, Port tty66, 
task_id=2 timezone=UTC service=shell 


15:22:44: AAA/ACCT: user user, acct type 0 (1677691259): 
Method=tacacs+ (tacacs) 


Step 7 Proceed to Task 7. 
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Task 7: Configuring and Testing the Central Router AAA 
Network Accounting 


This task configures and tests the central router AAA network accounting. 


Exercise Procedure 


Complete these steps: 


Step 1 Configure the central router to enable AAA accounting for the use of network 
services for the default accounting list. The accounting information should be logged 
to the Cisco Secure ACS server, where a report will be generated when a user starts 
and stops the use of network services. 


Step 2 On the branch router, shut down the WAN interface to the central router and observe 
the AAA accounting debug output to verify AAA network accounting. 


Step 3 On the branch router, reactivate the WAN interface to the central router and observe 
the AAA accounting debug output to verify AAA network accounting. 


Step 4 Verify that as you performed the previous steps, the central router generated AAA 
TACACS+ and accounting debug output similar to the following: 


TACACS+ output 


01:55:40: TAC+: 10.1.0.200 req=62696434 Qd id=3579209361 
ver=192 handle=0x62A1B784 (ESTAB) expire=5 ACCT/REQUEST/START 
queued 


01:55:40: TAC+: 10.1.0.200 (3579209361) ACCT/REQUEST/START 
queued 


01:55:40: TAC+: 10.1.0.200 ESTAB id=3579209361 wrote 78 of 78 
bytes 


01:55:40: TAC+: 10.1.0.200 req=62696434 Qd id=3579209361 
ver=192 handle=0x62A1B784 (ESTAB) expire=4 ACCT/REQUEST/START 
sent 


<Output omitted> 


01:55:40: TAC+: req=62696434 Tx id=3579209361 ver=192 
handle=0x62A1B784 (ESTAB) expire=4 ACCT/REQUEST/START 
processed 


01:55:40: TAC+: (3579209361) ACCT/REQUEST/START processed 
01:55:40: TAC+: periodic timer stopped (queue empty) 


01:55:40: TAC+: (3579209361): received acct response status = 
SUCCESS 


<Output omitted> 
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01:56:19: TAC+: 10.1.0.200 req=626963E0 Qd id=1283237260 
ver=192 handle=0x62A1BC20 (ESTAB) expire=5 ACCT/REQUEST/STOP 
queued 


01:56:19: TAC+: 10.1.0.200 (1283237260) ACCT/REQUEST/STOP 
queued 


01:56:19: TAC+: 10.1.0.200 req=626963E0 Qd id=1283237260 
ver=192 handle=0x62A1BC20 (ESTAB) expire=4 ACCT/REQUEST/STOP 
sent 


<Output omitted> 


01:56:19: TAC+: req=626963E0 Tx id=1283237260 ver=192 


handle=0x62A1BC20 (ESTAB) expire=4 ACCT/REQUEST/STOP processed 


01:56:19: TAC+: (1283237260) ACCT/REQUEST/STOP processed 
01:56:19: TAC+: periodic timer stopped (queue empty) 


01:56:19: TAC+: (1283237260): received acct response status 
SUCCESS 


<Output omitted> 


01:56:36: TAC+: 10.1.0.200 req=626963C4 Qd id=1548704104 
ver=192 handle=0x62A1COBC (ESTAB) expire=5 ACCT/REQUEST/STOP 
queued 


01:56:36: TAC+: 10.1.0.200 (1548704104) ACCT/REQUEST/STOP 
queued 


01:56:36: TAC+: 10.1.0.200 ESTAB id=1548704104 wrote 366 of 
366 bytes 


01:56:36: TAC+: 10.1.0.200 req=626963C4 Qd id=1548704104 
ver=192 handle=0x62A1COBC (ESTAB) expire=4 ACCT/REQUEST/STOP 
sent 


The following shows AAA accounting debug output on shutdown: 


16:17:16: *LINK-3-UPDOWN: Interface Serial0/0, changed state 
to down 


16:17:16: AAA/ACCT/ACCT_DISC: Found list "default" 
16:17:16: Serial0/0O AAA/DISC: 2/"Lost Carrier" 
16:17:16: AAA/ACCT/ACCT_DISC: Found list "default" 
16:17:16: Serial0/0O AAA/DISC/EXT: 1011/"Lost Carrier" 
16:17:16: AAA/ACCT/ACCT_DISC: Found list "default" 
16:17:16: Serial0/0O AAA/DISC: 2/"Lost Carrier" 
16:17:16: AAA/ACCT/ACCT_DISC: Found list "default" 
16:17:16: Serial0/0 AAA/DISC/EXT: 1011/"Lost Carrier" 


16:17:16: AAA/ACCT: no attribute "pre-bytes-in" to replace, 
adding it 
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16:17:16: AAA/ACCT: no attribute "pre-bytes-out" to replace, 
adding it 


16:17:16: AAA/ACCT: no attribute "pre-paks-in" to replace, 
adding it 


16:17:16: AAA/ACCT: no attribute "pre-paks-out" to replace, 
adding it 

16:17:16: AAA/ACCT: no attribute "bytes in" to replace, adding 
it 

16:17:16: AAA/ACCT: no attribute "bytes_out" to replace, 
adding it 

16:17:16: AAA/ACCT: no attribute "paks_in" to replace, adding 
it 

16:17:16: AAA/ACCT: no attribute "paks_ out" to replace, adding 
it 

16:17:16: AAA/ACCT: no attribute "pre-session-time" to 
replace, adding it 


16:17:16: AAA/ACCT: no attribute "elapsed_time" to replace, 
adding it 


16:17:16: AAA/ACCT non-ISDN xmit=0 recv=0 hwidb=823847C4 tty=0 
16:17:16: AAA/ACCT/NET/STOP User branch_5, Port Serial0/0: 


task_id=7 timezone=UTC service=ppp protocol=ip 
addr=10.5.160.2 disc-cau 


se=2 disc-cause-ext=1011 pre-bytes-in=145 pre-bytes-out=133 
pre-paks-in=7 pre-pa 


ks-out=6 bytes _in=3595 bytes out=3927 paks_in=153 paks_out=150 
pre-session-time= 


58031 connect-progress=60 elapsed_time=605 nas-rx-speed=0 nas- 
tx-speed=0 


16:17:16: AAA/ACCT: user branch_5, acct type 2 (3107486732): 
Method=tacacs+ (tac 


acs+) 


The following shows AAA accounting debug output on reactivation: 


16:21:54: %LINK-3-UPDOWN: Interface Serial0/0, changed state 
to up 


16:21:54: AAA/ACCT/PROG: Could not determine dsO to update 
Connect Progress 


16:21:54: voice_parse_intf name: Using the old NAS PORT string 
16:21:54: AAA: parse name=Serial0/0 idb type=56 tty=-1 


16:21:54: AAA: name=Serial0/0 flags=0x15 type=3 shelf=0 slot=0 
adapter=0 port=0 


channel=0 
16:21:54: voice_parse_intf name: Using the old NAS PORT string 
16:21:54: AAA: parse name=<no string> idb type=-1 tty=-1 


16:21:54: AAA/MEMORY: create_user (0x823E0BBO) user='branch_5' 
ruser='NULL' ds0= 
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0 port='Serial0/0' rem_addr='' authen_type=CHAP service=PPP 
priv=1 initial_task_ 


id='0' 


16:21:54: AAA/MEMORY: free_user (0x823E0BBO) user='branch_ 5! 
ruser='NULL' port=' 


Serial0/0' rem_addr='' authen_type=CHAP service=PPP priv=1 
16:21:54: voice_parse_intf name: Using the old NAS PORT string 
16:21:54: AAA: parse name=Serial0/0 idb type=56 tty=-1 


16:21:54: AAA: name=Serial0/0 flags=0x15 type=3 shelf=0 slot=0 
adapter=0 port=0 


channel=0 
16:21:54: voice_parse_intf name: Using the old NAS PORT string 
16:21:54: AAA: parse name=<no string> idb type=-1 tty=-1 


16:21:54: AAA/MEMORY: create_user (0x823E0BBO) user='branch_5' 
ruser='NULL' ds0= 


0 port='Serial0/0' rem_addr='' authen_type=CHAP service=PPP 
priv=1 initial_task_ 


id='0' 


16:21:54: AAA/ACCT/NET/START User branch _5, Port Serial0o/0, 
List we 


16:21:54: AAA/ACCT/NET: Found list "default" 

16:21:54: AAA/ACCT: no attribute "service" to replace, adding 

it 

16:21:54: AAA/ACCT/NET/START User branch _5, Port Serial0/0, 
task_id=9 timezone=UTC service=ppp 


16:21:54: AAA/ACCT: user branch_5, acct type 2 (1512055031): 
Method=tacacs+ (tac 


acs+) 


16:21:54: TAC+: Using default tacacs server-group "tacacs+" 
list. 


16:21:54: TAC+: Opening TCP/IP to 10.5.0.200/49 timeout=5 


16:21:54: AAA/ACCT/PROG: Updating Connect Progress for ds0O 0 
to 67 


16:21:54: AAA/ACCT/PROG: Updating Connect Progress for ds0O 0 
to 60 


16:21:54: AAA/ACCT: no attribute "protocol" to replace, adding 
it 
16:21:54: AAA/ACCT: no attribute "addr" to replace, adding it 


16:21:54: AAA/ACCT/PROG: Updating Connect Progress for ds0O 0 
to 60 


Step 5 Disable all debugging. 
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Exercise Verification 


You have completed this exercise when you attain these results: 


™ You can log in from the branch router using a ACS server to authenticate the username 
localuser 


™ Youcan log in from the branch router using a ACS server to authorize for username user 
privilege level 1 and superuser privilege level 15 


™ Youcan log in from the branch router using a ACS server to send EXEC accounting start- 
stop messages 


Your configuration should have had lines added. On the central router, verify that your 
configuration contains lines similar to the following: 


aaa new-model ! Task 1 Step 2 


aaa authentication login no_tacacs enable ! Task 1 Step 3 


aaa authentication login telnet-order group tacacs+ local 
! Task 4 Step 3 


aaa authorization exec default group tacacs+ 
! Task 5 Step 4 


aaa accounting exec default start-stop group tacacs+ 
! Task 6 Step 2 


aaa accounting network default start-stop group tacacs+ ! 
Task 7 Step 1 


username localuser password cisco ! Task 3 Step 
5 
tacacs-server host 10.1.0.200 key cisco ! Task 4 Step 
1 
radius-server host 10.1.0.200 key cisco ! Task 4 Step 
2 


line con 0 


login authentication no_tacacs ! Task 1 Step 4 


line vty 0 4 


login authentication telnet-order ! Task 4 Step 4 
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Lab Exercise Answer Key 
Lab Exercise 11-1: Using AAA to Scale Access Control 


When you complete this lab exercise, your router configuration will be similar to the following, 
with differences that are specific to your pod. 


Branch Router End Configuration 
version 12.2 


service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 

hostname branch_3 

! 

enable secret 5 $1$YF.9$X9uj9fWvTn/4BFK1VaSUF. 
! 
username central_3 password 0 cisco 
mmi polling-interval 60 

no mmi auto-configure 

no mmi pvc 
mmi snmp-timeout 180 

ip subnet-zero 

! 

! 
no ip domain-lookup 

! 

ip ssh time-out 120 

ip ssh authentication-retries 3 
! 

! 

! 

! 

interface BRIO 

no ip address 

shutdown 

no cdp enable 

! 

interface FastEtherneto 


description This is the ethernet network for the branch 
router 


ip address 10.3.10.2 255.255.255.0 
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speed auto 

no cdp enable 

! 
interface Serial0oO 

description This link goes from branch to central 
bandwidth 128 

ip address 10.3.160.2 255.255.255.0 
encapsulation ppp 

no cdp enable 

ppp authentication chap 

! 

interface Seriall 

no ip address 

shutdown 

no cdp enable 

! 

ip classless 

ip route 0.0.0.0 0.0.0.0 10.3.160.1 
no ip http server 

ip pim bidir-enable 

! 

! 

no cdp run 
! 
banner motd * 


Lab11 Lab11 Lab11 Lab11 Lab11 Lab11 Labi1l1 Lab11 Lab11 Labi1l 
Lab11 Lab11 


branch branch branch branch branch branch branch branch 


Notes from the instructor: 


All local passwords should be set to "cisco" 


branch branch branch branch branch branch branch branch 


Lab11 Lab11 Lab11 Lab11 Lab11 Lab11 Labi1l1 Lab11 Lab11 Labi1l 
Lab11 Lab11 


A 
! 
line con 0 


exec-timeout 30 0 


logging synchronous level all 
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history size 200 


line aux 0 


line vty 0 4 


exec-timeout 30 0 


password cisco 


logging synchronous 


login 


history size 200 


end 


Central Router End Configuration 
version 12.2 


service timestamps debug uptime 


service timestamps log uptime 


no service password-encryption 


hostname central _ 3 


aaa 


new-model 

authentication login no_tacacs enable 

authentication login telnet-order group tacacs+ local 
authorization exec default group tacacs+ 

accounting exec default start-stop group tacacs+ 


accounting network default start-stop group tacacs+ 


enable secret 5 $1Sb8L5$Nd51tIYhdJhXnvJVeLQqw.. 


username localuser password 0 cisco 


username branch_3 password 0 cisco 


ip subnet-zero 


no ip domain-lookup 


call rsvp-sync 
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! 
controller T1 1/0 
framing sf 
linecode ami 
! 
! 


interface Ethernet0/0 


description This is the ethernet network for the central 


router 


ip address 10.3.0.1 255.255.255.0 


half-duplex 


no cdp enable 


interface Ethernet0/1 


no ip address 
shutdown 
half-duplex 
no cdp enable 
! 


interface Serial3/0 


description This link goes from central to Branch 


bandwidth 128 


ip address 10.3.160.1 255.255.255.0 


encapsulation ppp 
clockrate 128000 


no cdp enable 


ppp authentication chap 


! 
interface Serial3/1 
no ip address 
shutdown 
no cdp enable 
! 
interface Serial3/2 
no ip address 
shutdown 
no cdp enable 
! 
interface Serial3/3 


no ip address 
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shutdown 
no cdp enable 
! 
ip classless 
no ip http server 
! 
no cdp run 
! 
tacacs-server host 10.3.0.200 key cisco 


radius-server host 10.3.0.200 auth-port 1645 acct-port 1646 
key cisco 


radius-server retransmit 3 
! 

dial-peer cor custom 

! 

! 

! 

! 

A 


banner motd 


Lab11 Lab11 Lab11 Lab11 Lab11 Lab11 Labi1l1 Lab11 Lab1l1 Labil 
Lab11 Lab11 


central central central central central central central 
central 


Notes from the instructor: 


All local passwords should be set to "cisco" 


central central central central central central central 
central 


Lab11 Lab11 Lab11 Lab11 Lab11 Lab11 Labi1l1 Lab11 Lab11 Labi1l 
Lab11 Lab11 


A 
! 
line con 0 

exec-timeout 30 0 

logging synchronous level all 
login authentication no_tacacs 
history size 200 

line 65 70 

flush-at-activation 


line aux 0 
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line vty 0 4 

exec-timeout 30 0 

password cisco 

logging synchronous 

login authentication telnet-order 


history size 200 


end 
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Super Lab 


Complete the following lab exercise to practice what you learned in the BCRAN course. 


Visual Objective 


The figure displays the configuration that you will complete in this exercise. 


710.%.100.3/24 10,X%.0,1/24 
ODlaler2: 
10.X.210.3/24 
BRIO *™ ™ ™ ISDN Service 


Provider/Basic 
Telephone Service 


10.X.1.180.2/24 
Frame Relay Frame Relay 
Service 


ee 


Scenario 


A small real estate company called ABC has hired you to set up the network infrastructure. 
After analyzing the requirements of ABC, you have decided to connect the small office, home 
office (SOHO) of the owner back to the central office (CO) with an ISDN BRI connection. 
Frame Relay will connect the ABC branch to the CO. The CO is currently connected to a 
Frame Relay provider and a serial T1 for ISDN connectivity. 
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Setup 


Gather the information shown in this table prior to starting this lab. 


Pod Number 


Information Required 


Example (where X is 
your pod number) all 
subnet masks are 


Write in your 
information for your 
pod 


255.255.255.0 

Central Router Your (first) LAN Ethernet 0/0 
interface type 

Central Router Your (first) LAN 10.X.0.1 
interface IP 

Central Router Your (first) ISDN T1 1/0 
controller 

Central Router ISDN interface IP to 10.X.200.1 


Branch 


Central Router 


ISDN switch type 


primary-5ess 


Central Router ISDN Number 555X100 

Central Router Dialer 2 IP to SOHO 10.X.210.1 

Central Router Your (second) WAN Serial 0/1 
Interface Type 

Serial 3/1 

Central Router Your (second) WAN 10.X.150.1 
Interface IP Address 

Central Router Frame-Rely DLCI X12 

Branch Router Your (first) LAN FastEthernetO 
interface type 

Branch Router Your (first) LAN 10.X.10.2 
interface IP 

Branch Router Your (second) WAN Serial 1 
Interface Type 

Branch Router Your (second) WAN 10.X.150.2 
Interface IP Address 

Branch Router Frame-Rely DLCI X21 

SOHO Router Your (first) LAN Ethernet 0 
interface type 

SOHO Router Your (first) LAN 10.X.100.3 
interface IP 

SOHO Router ISDN switch type basic-5ess 

SOHO Router Your (first) ISDN BriO 
interface type 

SOHO Router ISDN Number 555X300 

SOHO Router Dialer 2 IP to Central 10.X.210.3 

SOHO Router initial config file name pXc10 0 
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Setup Tasks 


Task 1: 


Task 2: 


Task 3: 


Task 4: 


From your PC, Telnet to the terminal server and open a console connection to the branch router 
of your pod. 


From your PC, Telnet to the terminal server again and open a second console connection to the 
central router of your pod. 


You will now be able to configure and observe output on both routers simultaneously. 


Erase the central, branch, and SOHO routers and reload the routers. 


Basic Configuration Considerations 


Properly configure your routers for identification, connectivity, and basic authentication access. 
For this task and the following tasks, all local passwords should be set to “cisco” and names 
should follow the conventions that have been used throughout the course labs. To limit the 
number of typos and misconfiguration, it may be wise not to make use of capitalization or 
unusual characters, and to keep names simple and provide meaningful descriptions on 
interfaces. 


Frame Relay Considerations 


Because of the possibility of future expansion of additional branch offices, you have to 
implement Frame Relay using point-to-point subinterfaces. You would also like to ensure that 
traffic shaping is enabled to respond to backward explicit congestion notification (BECN). 
When configuring traffic shaping, keep in mind that the CO uses a link speed of 128 kbps and 
the branch office uses a link speed of 32 kbps, and that there are defaults that may or may not 
be suitable for your WAN network. 


ISDN Considerations 


Because of the possibility of future expansion of ABC, you will implement dialer profiles for 
the connections between the SOHO and CO. 


The connection between the CO and SOHO will use CHAP authentication. 


Routing Considerations 


It is not necessary for the branch and SOHO users to have IP connectivity between each other. 


Because of the limited bandwidth on the ISDN connection between the SOHO and central 
router, do not use a routing protocol between these sites. (Hint: You will need only one static 
route at the SOHO and the central router.) 


Use Enhanced Interior Gateway Routing Protocol (EIGRP) with an autonomous system (AS) of 
100 between the branch and central sites. Ensure that the dialer interface between the central 
and SOHO routers is not brought up by an EIGRP broadcast. (Hint: How do you suppress a 
routing update on an interface?) Also, you will want to ensure that EIGRP does not 
automatically summarize the routes. 
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Task 5: 


Task 6: 


Bandwidth Considerations 


ABC is concerned about critical web traffic from the central site, so it was decided that at least 
50 percent of the Frame Relay bandwidth be guaranteed for web traffic. Create and enforce a 
policy to meet this requirement. 


Security Considerations 


ABC has critical applications that are used between the branch and CO networks. It wishes to 
use IP Security (IPSEC) to secure transmissions between the branch and central LAN subnets. 
It has been agreed that Internet Security Association and Key Management Protocol (ISAKMP) 
will be used for key negotiations, Data Encryption Standard (DES) will be used for encryption, 
Secure Hash Algorithm 1 (SHA-1) will be used as the hash algorithm, and a preshared key will 
accomplish the authentication. IPSEC will use Encapsulating Security Payload (ESP) with DES 
encryption. 


Exercise Verification 


You have completed this lab exercise if you were able to accomplish the following: 


1. From the SOHO router, you can successfully execute an extended ping (using the SOHO 
LAN interface IP as the source) to the LAN interface IP of the central router. 


2. From the branch router, you can successfully execute an extended ping (using the branch 
LAN interface IP as the source) to the LAN interface IP of the central router. 


3. Atthe central router, use the show frame-relay pve command and verify that traffic 
shaping is enabled for BECN. 


4. Atthe central router, you can verify that HTTP traffic is configured to receive 50 percent of 
the Frame Relay bandwidth. 


5. Atthe central router, you can successfully execute an extended ping between the LAN 
interface IP addresses. A security association will be established. 
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Lab Exercise Answer Key 
Super Lab 


When you complete this lab exercise, your router configuration will be similar to the following, 
with differences that are specific to your pod. 


Branch Router End Configuration 
version 12.2 


service timestamps debug uptime 

service timestamps log uptime 

no service password-encryption 

! 

hostname branch_3 

! 

enable secret 5 $1SCW/6$iGU8nsLWMUIJzZaWeL1 PSO 
! 

memory-size iomem 25 

mmi polling-interval 60 

no mmi auto-configure 

no mmi pvc 

mmi snmp-timeout 180 

ip subnet-zero 

! 

! 

! 

ip ssh time-out 120 

ip ssh authentication-retries 3 

! 

crypto isakmp policy 100 

authentication pre-share 

crypto isakmp key ciscol1234 address 10.3.150.1 
! 

! 
crypto ipsec transform-set myset esp-des 
! 
crypto map mymap 110 ipsec-isakmp 

set peer 10.3.150.1 

set transform-set myset 


match address 101 
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! 

! 
interface BRIO 

no ip address 

shutdown 

! 
interface FastEtherneto 
ip address 10.3.10.2 255.255.255.0 
speed auto 

! 

interface Seriald 

no ip address 

shutdown 

no fair-queue 

! 

interface Seriall 


description This is the Frame Relay interface to the Frame 
Relay switch 


bandwidth 32 

no ip address 

encapsulation frame-relay 

no fair-queue 

frame-relay class shape 
frame-relay traffic-shaping 

! 
interface Seriall.1 point-to-point 
description This is the Frame Relay PVC to Central 
ip address 10.3.150.2 255.255.255.0 
frame-relay interface-dlci 321 
crypto map mymap 

! 
router eigrp 100 

network 10.0.0.0 

no auto-summary 

no eigrp log-neighbor-changes 

! 

ip classless 

no ip http server 

ip pim bidir-enable 

! 
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! 

map-class frame-relay shape 
frame-relay cir 28000 

frame-relay be 32000 

frame-relay adaptive-shaping becn 


access-list 101 permit ip 10.3.10.0 0.0.0.255 10.3.0.0 
0.0.0.255 


! 

! 

line con 0 

line aux 0 

line vty 0 4 

! 

no scheduler allocate 


end 


Central Router End Configuration 
version 12.2 


service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 
hostname central _ 3 
! 
enable secret 5 $1SdABYSiojW6oyFakgbawg .8TJDMO 
! 
username soho_3 password 0 cisco 
ip subnet-zero 
! 
! 
! 
! 
class-map match-all web 
match access-group 100 
! 
! 
policy-map outbound-q 
class web 


bandwidth percent 50 
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crypto isakmp policy 100 


authentication pre-share 


crypto isakmp key cisco1234 address 10.3.150.2 


crypto ipsec transform-set myset esp-des 


! 
crypto map mymap 110 ipsec-isakmp 
set peer 10.3.150.2 

set transform-set myset 
match address 101 

! 

isdn switch-type primary-5ess 
call rsvp-sync 

! 

! 

! 

! 

! 

! 
controller T1 1/0 

framing esf 

linecode b8zs 

pri-group timeslots 1-24 
! 

! 

! 

interface Ethernet0/0 

ip address 10.3.0.1 255.255.255. 
half-duplex 

! 

interface Ethernet0/1 

no ip address 

shutdown 

half-duplex 

! 

interface Seriall1/0:23 

no ip address 
encapsulation ppp 


dialer pool-member 2 
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isdn switch-type primary-5ess 
ppp authentication chap 

! 

interface Serial3/0 

no ip address 

shutdown 

no fair-queue 

! 

interface Serial3/1 


description This is the Frame Relay interface to the Frame 
Relay switch. 


bandwidth 128 

no ip address 

encapsulation frame-relay 

no fair-queue 

frame-relay class shape 

frame-relay traffic-shaping 

! 

interface Serial3/1.1 point-to-point 
description This is the Frame Relay PVC to Branch 
ip address 10.3.150.1 255.255.255.0 
frame-relay interface-dlci 312 
crypto map mymap 

! 
interface Serial3/2 

no ip address 

shutdown 

! 
interface Serial3/3 

no ip address 

shutdown 

! 
interface Dialer2 

description This the Dialer to SOHO 
ip address 10.3.210.1 255.255.255.0 
encapsulation ppp 

dialer pool 2 

dialer remote-name soho 3 

dialer string 5553300 

dialer-group 1 


ppp authentication chap 
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! 
router eigrp 100 
passive-interface Dialer2 
network 10.0.0.0 
no auto-summary 
! 
ip classless 
ip route 10.3.100.0 255.255.255.0 10.3.210.3 
ip http server 
! 
! 
map-class frame-relay shape 
frame-relay cir 96000 
frame-relay be 128000 
frame-relay adaptive-shaping becn 
service-policy output outbound-q 
access-list 100 permit tcp any eq www any 


access-list 101 permit ip 10.3.0.0 0.0.0.255 10.3.10.0 
0.0.0.255 


dialer-list 1 protocol ip permit 
! 

! 

dial-peer cor custom 
! 

! 

! 

! 

! 

line con 0 

line 65 70 
flush-at-activation 
line aux 0 

line vty 0 4 

! 


end 


174 Building Cisco Remote Access Networks (BCRAN) v2.1 Copyright © 2004, Cisco Systems, Inc. 


SOHO Router End Configuration 


version 12.2 
service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 
hostname soho_3 
! 
enable secret 5 $1$QJ1/SrtAvmCRB9R4rhstjC1G5// 
! 
username central_3 password 0 cisco 
ip subnet-zero 
! 
isdn switch-type basic-5ess 
! 
! 
! 
! 
interface Ethernet0O 
ip address 10.3.100.3 255.255.255.0 
! 
interface BRIO 
no ip address 
encapsulation ppp 
dialer pool-member 2 
isdn switch-type basic-5ess 
ppp authentication chap 
! 
interface Dialer2 
ip address 10.3.210.3 255.255.255.0 
encapsulation ppp 
dialer pool 2 
dialer remote-name central_3 
dialer string 5553100 
dialer-group 1 
ppp authentication chap 
! 
ip classless 
ip route 0.0.0.0 0.0.0.0 10.3.210.1 


no ip http server 
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! 

! 

line con 0 

line vty 0 4 
! 


end 
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